DarkHole is an easy machine from Vulnhub. And, this machine works on VMWare. As I said, this machine is an easy machine for me, but it’s tricky to get the foothold. Again, if you haven’t tried this machine, give it a go. “DarkHole Walkthrough – Vulnhub – Writeup”
Link to the machine: https://www.vulnhub.com/entry/darkhole-1,724/
Identify the target
As always, we have to identify the IP address of the target machine.
fping -aqg 192.168.19.0/24
Scan open ports
Next, we have to scan the open ports on the target machine to understand the exposed services.
sudo nmap -v -T4 -A -p- -oN nmap.log 192.168.19.150
Here, we just have an HTTP port to look for.
Enumerate the webserver
The default page doesn’t have much except for a login link.
I tried SQL injection on the login form but I couldn’t succeed. Therefore, I registered a user using the “Sign up now” link. Also, there is a confusing input in the form. However, upon looking at the source of the page we understand it is an email field. Then, I logged in to see the following page.
We see a dashboard of the user id 2. So, this means, there possibly is another user with id 1. Moreover, the user could be an admin. Also, if we look at the page source, we find something interesting.
As we can see above, there is a hidden input “id”. So, there is a chance that if we pass user id 1, then, it might change the password of admin. Let’s try that. You can use the “Edit and resend” feature of the Firefox developer tools or use applications like Burp suite and ZAP to modify the request.
Therefore, I tried login in with the username “admin” and the new password. Fortunately, it was successful.
Unlike the previous user’s, we now have an upload feature. When I tried uploading a PHP shell, it gave me an error. But, I changed the filename to “.phar” and it worked.
Not only do we upload the file, but also we get the path of it. I have already listened on port 9001 using netcat. This is the same port I used on the shell file.
nc -nlvp 9001
Next, I upgraded the shell. Upgrade to an intelligent reverse shell
Escalate user’s privileges
When we check the home directory, we see two users, john and darkhole. And, when we check the directory of john, we see a SUID binary.
This binary is a copy of the binary “id” but with the exception that it is executed as the user “john”.
So, we can try exploiting this feature. Instead of executing “id”, we can create a custom binary with the same name. To do this, we have to create a file “id” and export the directory to the PATH.
echo 'bash' > /tmp/id; chmod +x /tmp/id; export PATH=/tmp:$PATH
Then, I executed the binary once again.
In this same directory, we have a password file that gives us the password of the user john. Then, I logged in as the user using the SSH.
Root privilege escalation
Finally, I checked the sudo permissions of the user.
The user can execute a python script that we can edit to get a shell.
echo 'import os;os.system("/bin/bash")' > file.py sudo python3 /home/john/file.py
Lastly, I got the root flag.