Casino Royale Valenka
Casino Royale was the 4th highest-grossing film of 2006, and was the highest-grossing installment of the James Bond series until Skyfall surpassed it in November 2012. Upon its release in the United Kingdom, Casino Royale broke series records on both opening day—£1.7 million —and opening weekend—£13,370,969.
- The Fate of Valenka - posted in SPOILERS: Casino Royale (2006): Of all the Bond girls in Casino Royale Valenka is the most mysterious. She is Le Chiffre's girlfriend and also henchwoman as she poisons Bond for him. During the torture scene we see Valenka enter the room with Vesper and another one of Le Chiffre's thugs. Later we hear two gun shots before Mr. White comes in to kill Le Chiffre.
- Casino Royale (2006) Plot Synopsis. WARNING: Spoilers. However, he is confronted by Obanno and his henchman, demanding his money back. They threaten to cut off Valenka's arm, however, Le Chiffre doesn't acquiesce. Out in the hallway, Bond hears Valenka screaming. He quickly grabs Vesper and they kiss in the stairway entrance to.
- Valenka is a supporting antagonist of the 2006 James Bond film Casino Royale. She is the girlfriend and henchwoman to Le Chiffre of Quantum. She was portrayed by Ivana Milicevic, who also played Kathryn Kidman in The Howling: Reborn.
Goal
root
Download
Walkthrough
nmap
default 80
default 8081
nothing happens after post
dirb shows some interesting directors
cards…nothing
kboard…nothing
robots is cards and kboard…lol
trying index.php reveals a pokermax software
we find an admin page, but default checks don’t work
we move to sqlmap
sqlmap success and we find the admin password
pokermax admin logged in
looking around, user valenka has some info in the profile
update /etc/hosts and browse to url, it’s a cms
going through the posts, this one looks interesting seeing how port 25 is open
quick search on e-db reveals a csrf attack that looks like it could workhttps://www.exploit-db.com/exploits/35301
setup the csrf file and hosted on attacking machine through apache
setup for the email took some time trying to figure out the correct subject line, had to go one by one through the poker clients
final send email with a link to the csrf file
access log shows file is checked!
attempt to sign-in with creds provided in csrf file
success! in as admin
wasted a lot of time looking for places to add php code, ends up there were details in a user profile again
browsing to the new url, it’s a file directoy
browsing to main.php, nothing special
but we find interesting notes in the source
looks like xxe vuln and here is a good post to followhttps://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection
setup xml.txt and curl command
running reveals /etc/passwd
now we have users, know that ftp is open and from the comment in the ultra source that it’s an easy password. throw hydra at it…success
ftp access is successful, however we cannot do much. cannot upload, but can make directories
after some playing around, we can upload just without extensions :)
however we cannot add .php extension, but .php5 worked
we setup our netcat listener and browse to the file, but nothing happens. looking we need to add permissions to the file, we just 777 it
we revisit the file in the browser and we have a reverse shell
Casino Royale Valenka Dress
quickly find valenka password for mysql
able to elevate to user valenka after breaking out of jail. after much searching, elevation didn’t help though
back as www-data, searched and found an interesting suid file and directory
running the suid file it seems it’s pulling network stats and processes, most likely using run.sh
from here we need to become user le, so we look at some of the files being served by the webserver. it shows index.html calls collect.php
we see it’s calling the python script and we see it’s editable by www-data. it’s currently reading a log file, but perhaps we can change that to a reverse shell?
we know we can access these files via that 8081 port. looking more closely we see that the web server at this port is run by user le
first let’s create the new python script containing our reverse shell
next we download the file to /tmp
then we echo that file into the existing python script and overwrite the contents. we do a cat to verfiy as well
we setup a netcat listener on the new port, browse site and trigger the python script…we have a reverse shell as user le!!
so now back to the run.sh file, we take a look and we see it’s just netstat and ps commands
well we own the file, let’s chmod and append a /bin/sh
with that let’s run mi6…and we root
Casino Royale Bond Girls
moving to /root/flag folder we see a script flag.sh, which when run tells us to open to a url
nice