GoldenEye: 1

[ vulnhub  ctf  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/goldeneye-1,240/

Walkthrough

nmap
alt text

default 80 points to login
alt text

login confirmed, need creds
alt text

default 80 shows js file

alt text

js file gives encoded password for boris
alt text

password decoded
alt text

login successful, points to pop3 service
alt text

source shows two usernames
alt text

pop3 port is 55007
alt text

start with natalya using hydra. had to bump tasks up to maximum as there were timeouts. password found
alt text

pop3 login works
alt text

message 1 nothing
alt text

message 2 gives creds, new web directory and instructions to update hosts file
alt text

directory is moodle
alt text

moodle login as natalya successful
alt text

message from doak. hints at pop3 service again
alt text

had to go through multiple lists as every list timed out. finally found a short enough one
alt text

pop3 login as doak with credentials
alt text

moodle login as dr_doak successful and after some searching there was a private file
alt text

s3cret file points to new web directory/image
alt text

browse to image and download
alt text

exiftool reveals base64 string
alt text

string decoded, most likely admin creds for moodle
alt text

moodle login admin successful and after some enumeration, system paths looks interesting
alt text

update the string to a python reverse shell oneliner
alt text

several tries to trigger by using spellcheck went unsuccessful. found an interesting spell engine and switched
alt text

reverse shell successful after triggering via spell check
alt text

lots of enumeration and could not find anything. none of the users could login as shown in the /etc/passwd. no suid file either
alt text

checking system info and turn to google, found likely exploit
alt text

alt text

downloading and compile fails as there is no gcc, but works with cc
alt text

however the exploit requires another compile after running so it fails
alt text

we update the code to point to use cc rather than gcc
alt text

download, compile, make executable and running the new sploit works. root
alt text

root flag. points to web flag
alt text

flag captured
alt text

Written on June 7, 2019
Share on: