GOLDENEYE
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine GoldenEye.
- GoldenEye can be downloaded from here:
- Once downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Discovering GoldenEye's IP:
- Scanning with Nmap it seems that there are just two open ports:
- However, as we will see later there are other higher open ports also, related with POP3 services:
- Going to the web server it indicates the presence of /sev-home/ to login:
- However at this moment we don't have any credentials to try:
- Launching nikto, it seems that /splashAdmin.php could be a vulnerable application because it is running Cobalt Qube 3:
- Before going ahead with it, let's have a look to the web's source:
- Clicking terminal.js we find an encoded password available for somebody called Boris:
- Decoding with Code Beautify:
- Great! we have our first valid credentials boris:InvincibleHack3r
- Trying to login:
- Yes, we have access to /sev-home, and reading the banner we confirm the presence of a POP3 service:
- Viewing the source we discover another user Natalya:
3 - POP3 EXPLOITATION
- At this point, why not trying to attack the POP3 server with these two users and Hydra?
- Hydra is successful and we have valid credentials for 2 users to access service POP3.
- Connecting to the POP3 service at port 5507 there are 3 messages for boris:
- Also there are 2 messages for natalya:
- Following advice for the last message GoldenEye's IP is pointed to domain severnaya-station.com by altering /etc/hosts:
- Now, connection to 192.168.1.27 is translated to severnaya-station.com and we have access to the folder /gnocertdir, what is the login page for a moodle platform:
- Trying to login as xenia:RCP90rulez! there is access to moodle:
- It is interesting to notice the message at the right side, there is a user called admin:
- Reading Messages we learn about another user Dr Doak:
- Communication between xenia and Dr Doak:
- Again, let's launch Hydra to discover doak user's password:
- Connecting to server POP3 with credentials doak:goat is succesful, and there is another email to be read:
- The message yields this additional credential dr_doak:4England!
- Using dr_doak:4England! to enter the moodle platform:
- Saving and reading s3cret.txt:
- Let's go for the .jpg picture, where according to the previous message information about admin's credentials can be probably found:
- Downloading and applying strings over the picture:
- The third line seems like Base64 code:
- Decoding:
- Using admin:xWinter1995x! to enter the moodle platform:
- Now, we have access to the moodle platform Administration page:
4 - GETTING A REMOTE SHELL BY MOODLE EXPLOITATION
- Looking for a exploit for moodle with Metasploit:
- Using the exploit moodle_cmd_exec and checking its options:
- Setting options:
- Running the exploit it fails:
- However, we detect that the spellchecker is important in this exploit.
- Let's review the description for the exploit:
https://www.exploit-db.com/exploits/29324
- The exploit assumes that PSpellShell is being used:
- However going back to moodle's Administration webpage we see that by default the spell engine is Google Spell:
- Changing to PSpellShell:
- Now the exploit works perfectly and we have a low privileged shell:
5 - PRIVILEGE ESCALATION
- Checking the Linux kernel:
- It's not very difficult to find an exploit for this kernel to achieve Privilege Escalation:
- Transferring from Kali to GoldenEye:
- The transfer is successful:
- Giving execution permissions:
- Trying to compile we have the ugly surprise that gcc is not installed at GoldenEye:
- Let's review the source code for 37292.c
- Copying to the local working directory:
- Reading something about gcc inside 37292.c
- Altering that line to compiler cc:
......
......
- Renaming to shell.c:
- Transferring shell.c from Kali to GoldenEye:
- Compiling with cc (by the way, compiler clang also could be used):
- Now the compilation works:
- Running the executable shell we've got a remote root shell:
6 - CAPTURING THE FLAG
- Reading .flag.txt:
- Checking the hash type of the string, it is MD5:
- Decrypting the string:
- The final flag is a picture: