Casino Royale Valenka

Casino Royale (2006)
d. Martin Campbell

Oscars Best Picture Winners Best Picture Winners Golden Globes Emmys STARmeter Awards San Diego Comic-Con New York Comic-Con Sundance Film Festival Toronto Int'l Film Festival Awards Central Festival Central All Events. After following the URI in Valenka’s profile, it seems we’re directed to a company blog. Clicking through the blog posts, dropdowns, etc, it’s discovered the CMS is SnowfoxCMS and the CMS admin has an email of valenka@casino-royale.local.

Valenka (Ivana Milicevic)

Valenka was the blonde girlfriend of villainous terrorist financier Le Chiffre (Mads Mikkelsen).

In her film entrance, she climbed up a ladder onto Le Chiffre's yacht moored somewhere in the Bahamas, wearing a V-necked blue one-piece suit, and then strolled past his gaming card table.

During the major Casino Royale hold 'em poker tournament in Montenegro, there was a break in the game and Le Chiffre returned to his hotel room. Valenka was on his balcony, forced to summon him there, where he was attacked by Ugandan terrorist Steven Obanno (Isaach De Bankole).

Obanno had learned that Le Chiffre had lost the money entrusted to him ('Where is my money?') Le Chiffre assured him: 'Your money is safe. You'll have it tomorrow. All of it.' For the betrayal, Obanno threatened to cut off the hand of Le Chiffre but he needed it to play cards. He bluffed cutting off Valenka's arm, without a word of protest from Le Chiffre. Obanno suggested to Valenka: 'You should find a new boyfriend.'

However, she remained with Le Chiffre and to assist him during the game, she slyly poisoned Bond's drink, forcing Bond to hurriedly leave the table. He unexpectedly returned however, after miraculously surviving cardiac arrest, joking: 'That last hand, it nearly killed me.'

It appeared that Valenka died when evil mastermind Mr. White's (Jesper Christensen) organization came upon Le Chiffre's gang and executed them (off-screen).

Casino royale full movie

Goal

root

Download

Walkthrough

nmap

default 80

default 8081

nothing happens after post

dirb shows some interesting directors

cards…nothing

kboard…nothing

robots is cards and kboard…lol

trying index.php reveals a pokermax software

we find an admin page, but default checks don’t work

we move to sqlmap

sqlmap success and we find the admin password

Casino

pokermax admin logged in

looking around, user valenka has some info in the profile

update /etc/hosts and browse to url, it’s a cms

going through the posts, this one looks interesting seeing how port 25 is open

quick search on e-db reveals a csrf attack that looks like it could workhttps://www.exploit-db.com/exploits/35301

setup the csrf file and hosted on attacking machine through apache

setup for the email took some time trying to figure out the correct subject line, had to go one by one through the poker clients

final send email with a link to the csrf file

access log shows file is checked!

attempt to sign-in with creds provided in csrf file

success! in as admin

wasted a lot of time looking for places to add php code, ends up there were details in a user profile again

browsing to the new url, it’s a file directoy

browsing to main.php, nothing special

but we find interesting notes in the source

looks like xxe vuln and here is a good post to followhttps://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection

setup xml.txt and curl command

running reveals /etc/passwd

now we have users, know that ftp is open and from the comment in the ultra source that it’s an easy password. throw hydra at it…success

ftp access is successful, however we cannot do much. cannot upload, but can make directories

after some playing around, we can upload just without extensions :)

Casino Royale Daniel Craig Cast

however we cannot add .php extension, but .php5 worked

we setup our netcat listener and browse to the file, but nothing happens. looking we need to add permissions to the file, we just 777 it

we revisit the file in the browser and we have a reverse shell

quickly find valenka password for mysql

able to elevate to user valenka after breaking out of jail. after much searching, elevation didn’t help though

back as www-data, searched and found an interesting suid file and directory

Valenka

running the suid file it seems it’s pulling network stats and processes, most likely using run.sh

from here we need to become user le, so we look at some of the files being served by the webserver. it shows index.html calls collect.php

we see it’s calling the python script and we see it’s editable by www-data. it’s currently reading a log file, but perhaps we can change that to a reverse shell?

we know we can access these files via that 8081 port. looking more closely we see that the web server at this port is run by user le

first let’s create the new python script containing our reverse shell

next we download the file to /tmp

then we echo that file into the existing python script and overwrite the contents. we do a cat to verfiy as well

we setup a netcat listener on the new port, browse site and trigger the python script…we have a reverse shell as user le!!

so now back to the run.sh file, we take a look and we see it’s just netstat and ps commands

well we own the file, let’s chmod and append a /bin/sh

with that let’s run mi6…and we root

Casino Royale Valenka

moving to /root/flag folder we see a script flag.sh, which when run tells us to open to a url

Casino Royale Villain

nice