Monday, December 17, 2018



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine GoldenEye.

- GoldenEye can be downloaded from here:,240/

- Once downloaded and extracted with VirtualBox:


- Discovering GoldenEye's IP:

- Scanning with Nmap it seems that there are just two open ports:

- However, as we will see later there are other higher open ports also, related with POP3 services:

- Going to the web server it indicates the presence of /sev-home/ to login:

- However at this moment we don't have any credentials to try:

- Launching nikto, it seems that /splashAdmin.php could be a vulnerable application because it is running Cobalt Qube 3:

- Before going ahead with it, let's have a look to the web's source:

- Clicking terminal.js we find an encoded password available for somebody called Boris:

- Decoding with Code Beautify:

- Great! we have our first valid credentials boris:InvincibleHack3r

- Trying to login:

- Yes, we have access to /sev-home, and reading the banner we confirm the presence of a POP3 service:

- Viewing the source we discover another user Natalya:


- At this point, why not trying to attack the POP3 server with these two users and Hydra?

- Hydra is successful and we have valid credentials for 2 users to access service POP3.

- Connecting to the POP3 service at port 5507 there are 3 messages for boris:

- Also there are 2 messages for natalya:

- Following advice for the last message GoldenEye's IP is pointed to domain by altering /etc/hosts:

- Now, connection to is translated to and we have access to the folder /gnocertdir, what is the login page for a moodle platform:

- Trying to login as xenia:RCP90rulez! there is access to moodle:

- It is interesting to notice the message at the right side, there is a user called admin:

- Reading Messages we learn about another user Dr Doak:

- Communication between xenia and Dr Doak:

- Again, let's launch Hydra to discover doak user's password:

- Connecting to server POP3 with credentials doak:goat is succesful, and there is another email to be read:

- The message yields this additional credential dr_doak:4England!

- Using  dr_doak:4England! to enter the moodle platform:

- Saving and reading s3cret.txt:

- Let's go for the .jpg picture, where according to the previous message information about admin's credentials can be probably found:

- Downloading and applying strings over the picture:

- The third line seems like Base64 code:

- Decoding:

- Using admin:xWinter1995x! to enter the moodle platform:

- Now, we have access to the moodle platform Administration page:


- Looking for a exploit for moodle with Metasploit:

- Using the exploit moodle_cmd_exec and checking its options:

- Setting options:

- Running the exploit it fails:

- However, we detect that the spellchecker is important in this exploit.

- Let's review the description for the exploit:

- The exploit assumes that PSpellShell is being used:

- However going back to moodle's Administration webpage we see that by default the spell engine is Google Spell:

- Changing to PSpellShell:

- Now the exploit works perfectly and we have a low privileged shell:


- Checking the Linux kernel:

- It's not very difficult to find an exploit for this kernel to achieve Privilege Escalation:

- Transferring from Kali to GoldenEye:

- The transfer is successful:

- Giving execution permissions:

 - Trying to compile we have the ugly surprise that gcc is not installed at GoldenEye:

- Let's review the source code for 37292.c

- Copying to the local working directory:

- Reading something about gcc inside 37292.c

- Altering that line to compiler cc:



- Renaming to shell.c:

- Transferring shell.c from Kali to GoldenEye:

- Compiling with cc (by the way, compiler clang also could be used):

- Now the compilation works:

- Running the executable shell we've got a remote root shell:


- Reading .flag.txt:

- Checking the hash type of the string, it is MD5:

- Decrypting the string:

- The final flag is a picture: