## https://sploitus.com/exploit?id=E69FB883-5FEE-526C-A5BD-4275FD293287
# DarkHole-2-Penetration-Testing-Writeup.
DarkHole 2 is a vulnerable Linux machine designed to simulate real-world misconfigurations and chained exploitation scenarios.
Category: Linux / Web Exploitation / Privilege Escalation
Objective: Gain initial access and escalate privileges to root
## Summary
DarkHole 2 is a vulnerable Linux machine designed to simulate real-world misconfigurations and chained exploitation scenarios.
The attack path involved command injection โ internal service access โ credential exposure โ privilege escalation to root.
## Methodology
The following methodology was used throughout the engagement:
Reconnaissance & Enumeration
Web Application Exploitation (Command Injection)
Local File System Analysis
SSH Key Discovery & Lateral Movement
Privilege Escalation via misconfigurations and system weaknesses
๐งญ Reconnaissance
Initial enumeration focused on identifying exposed services, user directories, and potential entry points.
Key observations:
Active user directories available under /home
Presence of hidden .ssh directories
Local services bound to internal interfaces
Suspicious web endpoint capable of executing system commands
System enumeration revealed that the environment lacked proper hardening and allowed excessive file visibility between users.
## Initial Access (Command Injection)
A vulnerable web endpoint exposed a cmd parameter that directly executed system-level commands without sanitization.
This allowed arbitrary command execution on the target system.
Impact:
Remote command execution (RCE)
System enumeration via web interface
File system traversal
Discovery of internal user context
Example behavior:
Execution of system commands via HTTP requests
Ability to interact with system utilities (e.g., file listing, process inspection)
## Foothold & Lateral Movement
After obtaining command execution, further exploration revealed:
SSH private key material inside user .ssh directories
Misconfigured permissions allowing sensitive file access
Local service exposure requiring tunneling for access
Actions performed:
Extracted sensitive authentication material (SSH keys)
Established SSH port forwarding to interact with internal services
Accessed restricted internal endpoints via localhost tunneling
## Privilege Escalation
Multiple privilege escalation vectors were identified and tested:
1. File Permission Misconfigurations
Sensitive files were accessible due to weak permission settings, enabling information disclosure.
2. SUID Binary Review
System binaries were inspected for misconfigured SUID permissions that could allow elevated execution.
3. Cron Job Inspection
System-wide scheduled tasks were reviewed for insecure script execution paths.
4. System Vulnerability Research
Kernel and system version were analyzed for potential known local privilege escalation exploits.
## Root Access
Privilege escalation was achieved through chaining misconfigurations and system-level weaknesses, resulting in full root access.
Post-exploitation results:
Root shell obtained
Full file system access
Access to sensitive system configuration files (/etc/shadow, system logs, etc.)
Complete compromise of the machine
## Indicators of Compromise (IOCs)
Command injection via HTTP parameter (cmd)
SSH key exposure in user directories
Local service exposure on non-public interfaces
Elevated binary execution paths
## Key Learnings
Command injection can lead to full system compromise if not sanitized properly
SSH key exposure remains a critical misconfiguration in Linux systems
Internal services should never be exposed without proper authentication
Privilege escalation often relies on chaining multiple small misconfigurations
## Evidence
Due to lab restrictions, screenshots were not allowed.
However, the following steps were verified during exploitation:
- Successful command injection via vulnerable web parameter (`cmd`)
- Access to `.ssh` directory and retrieval of sensitive key material
- Successful SSH tunneling to internal service
- Privilege escalation to root confirmed via system shell access
> ## Note: This lab was performed in a restricted training environment where screenshots were not permitted. All findings and steps have been documented based on direct exploitation results.