Monday, December 17, 2018

GoldenEye


GOLDENEYE

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine GoldenEye.

- GoldenEye can be downloaded from here:

https://www.vulnhub.com/entry/goldeneye-1,240/


- Once downloaded and extracted with VirtualBox:





2 - ENUMERATION

- Discovering GoldenEye's IP:







- Scanning with Nmap it seems that there are just two open ports:




- However, as we will see later there are other higher open ports also, related with POP3 services:





- Going to the web server it indicates the presence of /sev-home/ to login:





- However at this moment we don't have any credentials to try:





- Launching nikto, it seems that /splashAdmin.php could be a vulnerable application because it is running Cobalt Qube 3:








- Before going ahead with it, let's have a look to the web's source:





- Clicking terminal.js we find an encoded password available for somebody called Boris:





- Decoding with Code Beautify:




- Great! we have our first valid credentials boris:InvincibleHack3r

- Trying to login:




- Yes, we have access to /sev-home, and reading the banner we confirm the presence of a POP3 service:




- Viewing the source we discover another user Natalya:





3 - POP3 EXPLOITATION

- At this point, why not trying to attack the POP3 server with these two users and Hydra?









- Hydra is successful and we have valid credentials for 2 users to access service POP3.

- Connecting to the POP3 service at port 5507 there are 3 messages for boris:













- Also there are 2 messages for natalya:











- Following advice for the last message GoldenEye's IP is pointed to domain severnaya-station.com by altering /etc/hosts:




- Now, connection to 192.168.1.27 is translated to severnaya-station.com and we have access to the folder /gnocertdir, what is the login page for a moodle platform:




- Trying to login as xenia:RCP90rulez! there is access to moodle:



- It is interesting to notice the message at the right side, there is a user called admin:




- Reading Messages we learn about another user Dr Doak:





- Communication between xenia and Dr Doak:




- Again, let's launch Hydra to discover doak user's password:







- Connecting to server POP3 with credentials doak:goat is succesful, and there is another email to be read:




- The message yields this additional credential dr_doak:4England!





- Using  dr_doak:4England! to enter the moodle platform:





- Saving and reading s3cret.txt:









- Let's go for the .jpg picture, where according to the previous message information about admin's credentials can be probably found:





- Downloading and applying strings over the picture:





- The third line seems like Base64 code:



- Decoding:






- Using admin:xWinter1995x! to enter the moodle platform:




- Now, we have access to the moodle platform Administration page:






4 - GETTING A REMOTE SHELL BY MOODLE EXPLOITATION

- Looking for a exploit for moodle with Metasploit:







- Using the exploit moodle_cmd_exec and checking its options:




- Setting options:




- Running the exploit it fails:





- However, we detect that the spellchecker is important in this exploit.

- Let's review the description for the exploit:

https://www.exploit-db.com/exploits/29324





- The exploit assumes that PSpellShell is being used:





- However going back to moodle's Administration webpage we see that by default the spell engine is Google Spell:



- Changing to PSpellShell:



- Now the exploit works perfectly and we have a low privileged shell:






5 - PRIVILEGE ESCALATION

- Checking the Linux kernel:



- It's not very difficult to find an exploit for this kernel to achieve Privilege Escalation:





- Transferring from Kali to GoldenEye:







- The transfer is successful:

- Giving execution permissions:



 - Trying to compile we have the ugly surprise that gcc is not installed at GoldenEye:



- Let's review the source code for 37292.c


- Copying to the local working directory:



- Reading something about gcc inside 37292.c





- Altering that line to compiler cc:


......



......


- Renaming to shell.c:












- Transferring shell.c from Kali to GoldenEye:











- Compiling with cc (by the way, compiler clang also could be used):




- Now the compilation works:



- Running the executable shell we've got a remote root shell:




6 - CAPTURING THE FLAG


- Reading .flag.txt:




- Checking the hash type of the string, it is MD5:




- Decrypting the string:



- The final flag is a picture: