4/5/2022»»Tuesday

Casino Royale Valenka

4/5/2022
    93 - Comments

Casino Royale was the 4th highest-grossing film of 2006, and was the highest-grossing installment of the James Bond series until Skyfall surpassed it in November 2012. Upon its release in the United Kingdom, Casino Royale broke series records on both opening day—£1.7 million —and opening weekend—£13,370,969.

  1. The Fate of Valenka - posted in SPOILERS: Casino Royale (2006): Of all the Bond girls in Casino Royale Valenka is the most mysterious. She is Le Chiffre's girlfriend and also henchwoman as she poisons Bond for him. During the torture scene we see Valenka enter the room with Vesper and another one of Le Chiffre's thugs. Later we hear two gun shots before Mr. White comes in to kill Le Chiffre.
  2. Casino Royale (2006) Plot Synopsis. WARNING: Spoilers. However, he is confronted by Obanno and his henchman, demanding his money back. They threaten to cut off Valenka's arm, however, Le Chiffre doesn't acquiesce. Out in the hallway, Bond hears Valenka screaming. He quickly grabs Vesper and they kiss in the stairway entrance to.
  3. Valenka is a supporting antagonist of the 2006 James Bond film Casino Royale. She is the girlfriend and henchwoman to Le Chiffre of Quantum. She was portrayed by Ivana Milicevic, who also played Kathryn Kidman in The Howling: Reborn.

Goal

root

Download

Walkthrough

nmap

default 80

default 8081

nothing happens after post

dirb shows some interesting directors

cards…nothing

kboard…nothing

robots is cards and kboard…lol

trying index.php reveals a pokermax software

we find an admin page, but default checks don’t work

we move to sqlmap

sqlmap success and we find the admin password

pokermax admin logged in

looking around, user valenka has some info in the profile

update /etc/hosts and browse to url, it’s a cms

going through the posts, this one looks interesting seeing how port 25 is open

quick search on e-db reveals a csrf attack that looks like it could workhttps://www.exploit-db.com/exploits/35301

setup the csrf file and hosted on attacking machine through apache

setup for the email took some time trying to figure out the correct subject line, had to go one by one through the poker clients

final send email with a link to the csrf file

access log shows file is checked!

attempt to sign-in with creds provided in csrf file

success! in as admin

wasted a lot of time looking for places to add php code, ends up there were details in a user profile again

browsing to the new url, it’s a file directoy

browsing to main.php, nothing special

but we find interesting notes in the source

looks like xxe vuln and here is a good post to followhttps://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection

setup xml.txt and curl command

running reveals /etc/passwd

now we have users, know that ftp is open and from the comment in the ultra source that it’s an easy password. throw hydra at it…success

Craig

ftp access is successful, however we cannot do much. cannot upload, but can make directories

after some playing around, we can upload just without extensions :)

however we cannot add .php extension, but .php5 worked

we setup our netcat listener and browse to the file, but nothing happens. looking we need to add permissions to the file, we just 777 it

we revisit the file in the browser and we have a reverse shell

Casino Royale Valenka Dress

quickly find valenka password for mysql

able to elevate to user valenka after breaking out of jail. after much searching, elevation didn’t help though

back as www-data, searched and found an interesting suid file and directory

running the suid file it seems it’s pulling network stats and processes, most likely using run.sh

from here we need to become user le, so we look at some of the files being served by the webserver. it shows index.html calls collect.php

we see it’s calling the python script and we see it’s editable by www-data. it’s currently reading a log file, but perhaps we can change that to a reverse shell?

we know we can access these files via that 8081 port. looking more closely we see that the web server at this port is run by user le

first let’s create the new python script containing our reverse shell

next we download the file to /tmp

then we echo that file into the existing python script and overwrite the contents. we do a cat to verfiy as well

we setup a netcat listener on the new port, browse site and trigger the python script…we have a reverse shell as user le!!

so now back to the run.sh file, we take a look and we see it’s just netstat and ps commands

well we own the file, let’s chmod and append a /bin/sh

with that let’s run mi6…and we root

Casino Royale Bond Girls

moving to /root/flag folder we see a script flag.sh, which when run tells us to open to a url

Casino Royale Valenka

nice