Facebook Twitter Linkedin YouTube VK Xing

靶机渗透学习(Goldeneye)

参考:https://www.anquanke.com/post/id/156098#h3-4

下载

Goldeneye靶机下载:https://pan.baidu.com/s/1dzs_qx-YwYHk-vanbUeIxQ

安装及探测

vmbox直接导入,然后ip用netdiscover
blacsheep

靶机ip:192.168.31.147

扫一下端口

root@kali:~$ nmap -sV -Pn -v -p- -T5 192.168.31.147

然后拿到结果
blacsheep

80端口

去看下80端口
blacsheep

看下源码,发现terminal.js

var data = [
  {
    GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
  }
];

//
//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;
//
//BTW Natalya says she can break your codes
//

var allElements = document.getElementsByClassName("typeing");
for (var j = 0; j < allElements.length; j++) {
  var currentElementId = allElements[j].id;
  var currentElementIdContent = data[0][currentElementId];
  var element = document.getElementById(currentElementId);
  var devTypeText = currentElementIdContent;


  var i = 0, isTag, text;
  (function type() {
    text = devTypeText.slice(0, ++i);
    if (text === devTypeText) return;
    element.innerHTML = text + `<span class='blinker'>&#32;</span>`;
    var char = text.slice(-1);
    if (char === "<") isTag = true;
    if (char === ">") isTag = false;
    if (isTag) return type();
    setTimeout(type, 60);
  })();
}

unicode转一下,得到InvincibleHack3r

blacsheep

然后且到/sev-home,发现登录,那么直接帐号用boris,密码InvincibleHack3r,成功登录

看下源码,然后第一段重要源码

</video>
<div id="golden">
<h1>GoldenEye</h1>
<p>GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO) </p>
<p>Please email a qualified GNO supervisor to receive the online <b>GoldenEye Operators Training</b> to become an Administrator of the GoldenEye system</p>
<p>Remember, since <b><i>security by obscurity</i></b> is very effective, we have configured our pop3 service to run on a very high non-default port</p>
</div>

发现we have configured our pop3 service to run on a very high non-default port
然后扫端口的时候也知道pop3是55007

然后页面最下面还有一段

Qualified GoldenEye Network Operator Supervisors: 
Natalya
Boris

那么我们转过来看pop3

pop3

hydra -l Natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.31.147 -s 55007 pop3

blacsheep

以及

hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.31.147 -s 55007 pop3

blacsheep

login: boris   password: secret1!
login: Natalya   password: bird

这里可以nc直接连试一下
blacsheep
三封邮件,等上去看下

如果嫌麻烦可以用thunderbird
blacsheep

关键邮件



Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle Ok, user creds are: username: xenia password: RCP90rulez! Boris verified her as a valid contractor so just create the account ok? And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir **Make sure to edit your host file since you usually work remote off-network.... Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

我们去改一下hosts
blacsheep

然后连一下,用前面的帐号密码登录,找到一封邮件
blacsheep

然后hydra爆一下
blacsheep

pop3连一下
blacsheep

拿到网站的帐号密码,换帐号,发现一个secret文件
blacsheep

里面写着

007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

下载一下图片,然后strings一下
blacsheep

然后base64解一下找到密码,回到后台,帐号admin,密码xWinter1995x!登录

登录之后发现cms的版本信息
blacsheep

msf拿shell

msf搜一下
blacsheep

那么用一下这个exp,注意要设置一下路径
blacsheep
运行一下,发现失败了
看一下exp:https://www.exploit-db.com/exploits/29324/

发现123行指定了editor
blacsheep

那么我们去后台改一下设置
blacsheep

然后运行,拿到shell
blacsheep

提权

看一下内核信息,然后去exploit-db上看下
blacsheep

看下使用
blacsheep

那么直接下载下来即可,然后写一个木马进去,方便传文件,然后传进exp
blacsheep

回msf,编译运行即可,然后发现目标机没有gcc..
blacsheep

那么可以用clang和cc绕过

clang

blacsheep

blacsheep

cc

blacsheep

拿flag

到root目录
blacsheep

blacsheep

Leave a Reply

Your email address will not be published.Required fields are marked *

%d 博主赞过: