靶机渗透学习(Goldeneye)

blacsheep

2018-09-14

pentest

参考:https://www.anquanke.com/post/id/156098#h3-4

下载

Goldeneye靶机下载:https://pan.baidu.com/s/1dzs_qx-YwYHk-vanbUeIxQ

安装及探测

vmbox直接导入,然后ip用netdiscover blacsheep 靶机ip:192.168.31.147 扫一下端口

1	root@kali:~$ nmap -sV -Pn -v -p- -T5 192.168.31.147

然后拿到结果 blacsheep

80端口

去看下80端口 blacsheep 看下源码,发现terminal.js

var data = [
  {
    GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
  }
];

//
//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;
//
//BTW Natalya says she can break your codes
//

var allElements = document.getElementsByClassName("typeing");
for (var j = 0; j < allElements.length; j++) {
  var currentElementId = allElements[j].id;
  var currentElementIdContent = data[0][currentElementId];
  var element = document.getElementById(currentElementId);
  var devTypeText = currentElementIdContent;


  var i = 0, isTag, text;
  (function type() {
    text = devTypeText.slice(0, ++i);
    if (text === devTypeText) return;
    element.innerHTML = text + `<span class='blinker'>&#32;</span>`;
    var char = text.slice(-1);
    if (char === "<") isTag = true;
    if (char === ">") isTag = false;
    if (isTag) return type();
    setTimeout(type, 60);
  })();
}

unicode转一下,得到InvincibleHack3r blacsheep 然后且到/sev-home,发现登录,那么直接帐号用boris,密码InvincibleHack3r,成功登录看下源码,然后第一段重要源码

</video>
<div id="golden">
<h1>GoldenEye</h1>
<p>GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO) </p>
<p>Please email a qualified GNO supervisor to receive the online <b>GoldenEye Operators Training</b> to become an Administrator of the GoldenEye system</p>
<p>Remember, since <b><i>security by obscurity</i></b> is very effective, we have configured our pop3 service to run on a very high non-default port</p>
</div>

发现we have configured our pop3 service to run on a very high non-default port 然后扫端口的时候也知道pop3是55007 然后页面最下面还有一段

1
2
3

Qualified GoldenEye Network Operator Supervisors: 
Natalya
Boris

那么我们转过来看pop3

pop3

1	hydra -l Natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.31.147 -s 55007 pop3

blacsheep 以及

1	hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.31.147 -s 55007 pop3

1 2	login: boris password: secret1! login: Natalya password: bird

这里可以nc直接连试一下 blacsheep 三封邮件,等上去看下如果嫌麻烦可以用thunderbird 关键邮件

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle 

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

我们去改一下hosts blacsheep 然后连一下,用前面的帐号密码登录,找到一封邮件然后hydra爆一下 pop3连一下拿到网站的帐号密码,换帐号,发现一个secret文件里面写着

007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

下载一下图片,然后strings一下 blacsheep 然后base64解一下找到密码,回到后台,帐号admin,密码xWinter1995x!登录登录之后发现cms的版本信息