Doubletrouble
Last updated
Last updated
To start, we perform a device recognition on our network using the arp-scan tool and find the MAC address starting with 08:..., which is typically assigned to virtual machines.
And we find the IP of the victim machine: 192.168.18.191
Now it's time to conduct an open port reconnaissance, for which we'll use NMAP. With the following command, we will perform a quick scan of all ports on the victim machine.
Now that we know the open ports, let's conduct a more detailed scan on these ports.
Upon entering the hosted website, we observe a login page, as also indicated in the NMAP scan.
We are going to perform a directory enumerating using Gobuster to see if any directory can help us gain access.
And we come across the following directory that will be useful, as the others do not have anything significant:
Inside the /secret directory, there is an image, so I decide to download it and apply steganography techniques to see if there is any hidden information in the image.
And we use Stegseek:
Within this, you'll find the credentials to log in.
So, we log in through the page we saw earlier using the obtained credentials.
Now that we are inside, let's upload a malicious PHP file to execute commands. I'm going to upload it as the user's profile picture.
The code:
We upload it and navigate to the /uploads directory we found earlier while enumerating directories with Gobuster. Then, we access the users folder, where we will find our PHP file.
And now, we can execute commands.
So, we are going to perform a Reverse Shell to gain access to the machine. To do this, we set up a listener on port 4444 with netcat:
And then we execute this code on the website:
And we're in. Now, I'm going to set up a TTY.
It's time for privilege escalation. Upon checking the sudo permissions, we notice that we can execute the awk binary as root.
On the GTFOBins page, it shows how to leverage these permissions.
Now, we execute the command:
And we're not done yet. Even though we're the root user, we can't obtain any flags. What we see is another machine with the same name inside this one. So, we need to download it.
Victim machine:
Our real machine:
Since I'm using Windows 10, I'll use the following command to download it from PowerShell:
Now, we start the machine and find its IP address using arp-scan. In this case, the IP of the second machine is 192.168.18.193.
So, I perform another port scan with NMAP.
Another login page:
Now, we will use Burp Suite, and then with SQLMAP, we will check if it is vulnerable to SQLI.
We copy all this content and paste it into a file, I'll call it sqlmap.txt. Now we run SQLMAP with this file:
And we observe that it is indeed vulnerable. Next, we will execute the following command to show us the existing databases:
Now that we have found the "doubletrouble" database, let's enter to see what's inside:
We came across usernames and passwords. The one above doesn't work, but clapton does work for SSH.
And finally, we obtain the user flag.
Now comes the second privilege escalation. We observe that the machine's version is vulnerable to a Local Privilege Escalation.
And we download it, following the steps it indicates.
And now we transfer it to the target machine using netcat:
Target machine:
Local machine:
And now we compile it:
Now we will execute it, passing the password we want. Mine will be 'hello':
Then we become the root user, now named firefart.
And we enter the password we assigned earlier.
And there you go, we are now root. We can now obtain the root flag.
Machine fully completed!
