search

Golden Eye 1

Golden Eye Vulnhub Walkthrough

hashtag
Enumeration

hashtag
nmap

nmap -sC -sV -oA nmap/GEv1 192.168.1.116
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: TLS randomness does not represent time
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds

We can see that there are 2 more unknown port that are on the server.

Let's put the IP on the web browser

Let's navigate to /sev-home

Then if we go back to the main page and go to the inspect elements we can see a JavaScript file

We can see there is an encrypted password I copied it and paste it at google search bar then we got this surprisingly

Very obvious, the username is boris and we can login.

We can see that there is pop3 server running.

If we use nmap to enumerate both of the unknown ports

We know that 55007 is running pop3

hashtag
Exploitation

hashtag
Hydra

Then we can brute force to get the password of boris and natalya

Got the password! we can now login to the pop3 server

Nothing seems to be very interesting here, so we move on to the natalya

Doing the same thing as boris, we got something pretty interesting here

We got a credentials and we need to add the server IP to the /etc/hosts and navigate to severnaya-station.com/gnocertdir

After doing that, we can go to the browser and navigate to severnaya-station.com/gnocertdir

We can login with the credentials he given

Then we can navigate to messages and we can see that the username is doak

Now we can take the username doak and brute force using hydra again

We got the credentials, we then can go to back to the pop3 server and login

We got the credentials and we go back to the Moodle and login

We then go to the private files and we have a s3cret.txt

After cat the file out, we got this

We can see that the picture leads to the admin credentials

We can see that there is a link in the file, if we follow the link,

If we download the picture and use strings command to list out all readable content, we will get this

We can see that there is a base64 encrypted line.

After decode we got

Let's login to the Moodle using the credentials we just got

After playing around, I found out that under site administration, Plugins, and Text Editor, there is a TinyMCE HTML editor

We need to change the Spell engine from Google Spell to PSpellShell

Then, we go to the server and System Path, we can see that there is a Path to aspell section

hashtag
Reverse Shell

I tried using netcat but it doesn't work so we change the section to Python reverse shell.

Then we set up a listener at our machine

Then we can go to blog and add new entries

After that click the spelling check to get the reverse shell

Then we can type a python command

hashtag
Privilege Escalation

If we type uname -a , we can see that the kernal is out of date

We then can searchsploit the kernal..

After that we can copy to our directory then I tried to transfer the file to the target machine but gcc is not available in the target machine but cc is available.

So we need to change something in the exploit

Change the gcc to cc

Then at our machine we can fire up the SimpleHTTPServer using Python

On the target machine navigate to /tmp directory and wget the file

Then we can type

Navigate to the /root and get the .flag.txt

Then we can navigate to the URL it provided

Congratulation !

PreviousDjinn 1NextHackme1

Last updated