Whitelist: GoldenEye

GOLDENEYE

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine GoldenEye.

- GoldenEye can be downloaded from here:

https://www.vulnhub.com/entry/goldeneye-1,240/

- Once downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Discovering GoldenEye's IP:

- Scanning with Nmap it seems that there are just two open ports:

- However, as we will see later there are other higher open ports also, related with POP3 services:

- Going to the web server it indicates the presence of /sev-home/ to login:

- However at this moment we don't have any credentials to try:

- Launching nikto, it seems that /splashAdmin.php could be a vulnerable application because it is running Cobalt Qube 3:

- Before going ahead with it, let's have a look to the web's source:

- Clicking terminal.js we find an encoded password available for somebody called Boris:

- Decoding with Code Beautify:

- Great! we have our first valid credentials boris:InvincibleHack3r

- Trying to login:

- Yes, we have access to /sev-home, and reading the banner we confirm the presence of a POP3 service:

- Viewing the source we discover another user Natalya:

3 - POP3 EXPLOITATION

- At this point, why not trying to attack the POP3 server with these two users and Hydra?

- Hydra is successful and we have valid credentials for 2 users to access service POP3.

- Connecting to the POP3 service at port 5507 there are 3 messages for boris:

- Also there are 2 messages for natalya:

- Following advice for the last message GoldenEye's IP is pointed to domain severnaya-station.com by altering /etc/hosts:

- Now, connection to 192.168.1.27 is translated to severnaya-station.com and we have access to the folder /gnocertdir, what is the login page for a moodle platform:

- Trying to login as xenia:RCP90rulez! there is access to moodle:

- It is interesting to notice the message at the right side, there is a user called admin:

- Reading Messages we learn about another user Dr Doak:

- Communication between xenia and Dr Doak:

- Again, let's launch Hydra to discover doak user's password:

- Connecting to server POP3 with credentials doak:goat is succesful, and there is another email to be read:

- The message yields this additional credential dr_doak:4England!

- Using dr_doak:4England! to enter the moodle platform:

- Saving and reading s3cret.txt:

- Let's go for the .jpg picture, where according to the previous message information about admin's credentials can be probably found:

- Downloading and applying strings over the picture:

- The third line seems like Base64 code:

- Decoding:

- Using admin:xWinter1995x! to enter the moodle platform:

- Now, we have access to the moodle platform Administration page:

4 - GETTING A REMOTE SHELL BY MOODLE EXPLOITATION

- Looking for a exploit for moodle with Metasploit:

- Using the exploit moodle_cmd_exec and checking its options:

- Setting options:

- Running the exploit it fails:

- However, we detect that the spellchecker is important in this exploit.

- Let's review the description for the exploit:

https://www.exploit-db.com/exploits/29324