you can download it here: https://www.vulnhub.com/entry/goldeneye-1,240/

use nmap to discover the target:
nmap -Pn 192.168.227.0/24

1

check port 80

2

checked /sev-home/, it requires http authentication, check the main page’s source code, found a suspicious js.

3

password is ascii encoded, convert back: InvincibleHack3r

4

username: boris password: InvincibleHack3r, login to /sev-home/

5

seems like I need to bruteforce its pop3 service.
use nmap to identify its pop3 port

6

port 55007 is running pop3 service, use hydra to do bruteforce:
hydra -L users.txt -P passwords.txt 192.168.227.145 -s 55007 -I pop3

7

login using natalya’s credential:

8

get some credential:
username: xenia
password: RCP90rulez!
url: severnaya-station.com/gnocertdir, need to map ip to severnaya-station.com
login and found this in message:

9

get one more email account: doak
do one more round bruteforce

10

got it.
check his email

11

get another credential on website

12

found this in his private file folder.
download the jpg as indicated in txt.

13

found this in exifinfo.
try using this as password and admin as username to login to the web portal

14

now I have the admin privelege in the web portal, need to get an webshell.
stucked here for a while, and succeeded using the exploit here: https://blog.ripstech.com/2018/moodle-remote-code-execution/

15

so now I can download a webshell to the web directory. or I can straightaway get a reverse shell. anyway convenient.
get a reverse shell.

16

note that gcc is not available, but clang is available.

escalate privilege easily with dirty cow:

17