# TryHackMe-GoldenEye
## NMAP
```
Nmap scan report for 10.10.81.165
Host is up (0.15s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/unknown
|_ssl-date: TLS randomness does not represent time
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE TOP CAPA PIPELINING USER UIDL RESP-CODES SASL(PLAIN) STLS
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 502.67 seconds
```
## PORT 80
Looking at source code
This is an encoded text on visting `cyberchef` and decoding it using `magic` we decoded the text
`InvincibleHack3` is the password for `boris`
But these creds are not right
So let's enumerate different ports
## PORT 55007 (POP3)
I tired to brute force with `boris` but failed
Earlier from the source code of the web page we saw a message that "Natalya could break your code" so maybe that's a potential username that we need to brute force so again using hydra
After some time I was able to get the correct password
Also got boris's password with the `fasttrack` wordlist
## Boris's Mail
Here we used telnet to connect to pop3 service and logged in with boris's credentials. We can see that there are 3 messages
### Message 1
### Message 2
### Message 3
## Natalya's mail
We do the same with natalya's mail
### Message 1
### Message 2
So we found the creds and a domain , lets add the domain in `/etc/hosts` file
Navigate to `severnaya-station.com/gnocertdir` and login with xenia's credentials
Going to user's messages we can find a conversation with a user `doak`
We find doak's password with the same procedure
## Doak's Mail
### Message
Login as dr_doak on the website
This is the message we get from that text file
```
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
```
Running `exiftool` on it we can find a base64 encoded text
Now we are logged in as admin. One thing we can do now is look for any exploits for `Moodle`
## Getting a reverse shell
For some reason the exploit wasn't working . I double checked everything but still it was failing
So I went with the manual exploitation of moodle
Under settings go to plugins ->Text Editors -> TinyMCE HTML editor and make sure to select Spell Engine as `PSpellShell`
Then make a blog post entry and click on spell check icon , if you have setup your netcat listener you'll get a shell frorm the target machine
Looking for kernel version
This is a really old kernel for linux so hopeully there will be an exploit on `exploit-db`
Download ,compile and transfer it to target machine
But on running it gave an error because gcc was not installed on the machine
On googling I found cc which is alternate to gcc and it was on the box
So we had to edit the exploit by replacing `gcc` to `cc` and then again transfer the compiled source code to the box
We got root !!