you can download it here: https://www.vulnhub.com/entry/goldeneye-1,240/
use nmap to discover the target:
nmap -Pn 192.168.227.0/24
check port 80
checked /sev-home/, it requires http authentication, check the main page’s source code, found a suspicious js.
password is ascii encoded, convert back: InvincibleHack3r
username: boris password: InvincibleHack3r, login to /sev-home/
seems like I need to bruteforce its pop3 service.
use nmap to identify its pop3 port
port 55007 is running pop3 service, use hydra to do bruteforce:
hydra -L users.txt -P passwords.txt 192.168.227.145 -s 55007 -I pop3
login using natalya’s credential:
get some credential:
url: severnaya-station.com/gnocertdir, need to map ip to severnaya-station.com
login and found this in message:
get one more email account: doak
do one more round bruteforce
check his email
get another credential on website
found this in his private file folder.
download the jpg as indicated in txt.
found this in exifinfo.
try using this as password and admin as username to login to the web portal
now I have the admin privelege in the web portal, need to get an webshell.
stucked here for a while, and succeeded using the exploit here: https://blog.ripstech.com/2018/moodle-remote-code-execution/
so now I can download a webshell to the web directory. or I can straightaway get a reverse shell. anyway convenient.
get a reverse shell.
note that gcc is not available, but clang is available.
escalate privilege easily with dirty cow: