Goal
root
Download
Walkthrough
nmap
The Fate of Valenka - posted in SPOILERS: Casino Royale (2006): Of all the Bond girls in Casino Royale Valenka is the most mysterious. She is Le Chiffre's girlfriend and also henchwoman as she poisons Bond for him. During the torture scene we see Valenka enter the room with Vesper and another one of Le Chiffre's thugs. Later we hear two gun shots before Mr. White comes in to kill Le Chiffre. Casino Royale – (Film 2006). (To Valenka) You should find a new boyfriend. Casino Royale – (Film 2006) Le Chiffre: You've taken good care of your body.
default 80
default 8081
nothing happens after post
dirb shows some interesting directors
cards…nothing
kboard…nothing
robots is cards and kboard…lol
trying index.php reveals a pokermax software
we find an admin page, but default checks don't work
we move to sqlmap
sqlmap success and we find the admin password
pokermax admin logged in
looking around, user valenka has some info in the profile
update /etc/hosts and browse to url, it's a cms
going through the posts, this one looks interesting seeing how port 25 is open
quick search on e-db reveals a csrf attack that looks like it could workhttps://www.exploit-db.com/exploits/35301
setup the csrf file and hosted on attacking machine through apache
setup for the email took some time trying to figure out the correct subject line, had to go one by one through the poker clients
final send email with a link to the csrf file
access log shows file is checked!
attempt to sign-in with creds provided in csrf file
success! in as admin
wasted a lot of time looking for places to add php code, ends up there were details in a user profile again
browsing to the new url, it's a file directoy
browsing to main.php, nothing special
Casino Royale Villain
but we find interesting notes in the source
looks like xxe vuln and here is a good post to followhttps://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection
setup xml.txt and curl command
running reveals /etc/passwd
now we have users, know that ftp is open and from the comment in the ultra source that it's an easy password. throw hydra at it…success
ftp access is successful, however we cannot do much. cannot upload, but can make directories
after some playing around, we can upload just without extensions :)
however we cannot add .php extension, but .php5 worked
we setup our netcat listener and browse to the file, but nothing happens. looking we need to add permissions to the file, we just 777 it
we revisit the file in the browser and we have a reverse shell
quickly find valenka password for mysql
able to elevate to user valenka after breaking out of jail. after much searching, elevation didn't help though
back as www-data, searched and found an interesting suid file and directory
running the suid file it seems it's pulling network stats and processes, most likely using run.sh
from here we need to become user le, so we look at some of the files being served by the webserver. it shows index.html calls collect.php
we see it's calling the python script and we see it's editable by www-data. it's currently reading a log file, but perhaps we can change that to a reverse shell?
we know we can access these files via that 8081 port. looking more closely we see that the web server at this port is run by user le
first let's create the new python script containing our reverse shell
next we download the file to /tmp
then we echo that file into the existing python script and overwrite the contents. we do a cat to verfiy as well
browsing to main.php, nothing special
Casino Royale Villain
but we find interesting notes in the source
looks like xxe vuln and here is a good post to followhttps://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection
setup xml.txt and curl command
running reveals /etc/passwd
now we have users, know that ftp is open and from the comment in the ultra source that it's an easy password. throw hydra at it…success
ftp access is successful, however we cannot do much. cannot upload, but can make directories
after some playing around, we can upload just without extensions :)
however we cannot add .php extension, but .php5 worked
we setup our netcat listener and browse to the file, but nothing happens. looking we need to add permissions to the file, we just 777 it
we revisit the file in the browser and we have a reverse shell
quickly find valenka password for mysql
able to elevate to user valenka after breaking out of jail. after much searching, elevation didn't help though
back as www-data, searched and found an interesting suid file and directory
running the suid file it seems it's pulling network stats and processes, most likely using run.sh
from here we need to become user le, so we look at some of the files being served by the webserver. it shows index.html calls collect.php
we see it's calling the python script and we see it's editable by www-data. it's currently reading a log file, but perhaps we can change that to a reverse shell?
we know we can access these files via that 8081 port. looking more closely we see that the web server at this port is run by user le
first let's create the new python script containing our reverse shell
next we download the file to /tmp
then we echo that file into the existing python script and overwrite the contents. we do a cat to verfiy as well
we setup a netcat listener on the new port, browse site and trigger the python script…we have a reverse shell as user le!!
so now back to the run.sh file, we take a look and we see it's just netstat and ps commands
well we own the file, let's chmod and append a /bin/sh
Casino Royale Bond Girls
with that let's run mi6…and we root
moving to /root/flag folder we see a script flag.sh, which when run tells us to open to a url
nice
Stats
Ivana Milicevic played by Valenka
Born in Sarajevo, Bosnia and Herzegovina on 26th April 1974
Starred in Casino Royale (2006)
Profile
Valenka is first seen wearing a skimpy swimsuit climbing the ladder of the yacht owned by Le Chiffre, moored somewhere in the Bahamas.
Later when Steven Obanno learns of Le Chiffre losing his money, he pays Le Chiffre a visit in Montenegro. When Le Chiffre returns to his suite, Valenka is standing on the balcony where she says she's sorry just as Obanno appears and attacks Le Chiffre. Filled with rage Obanno strangles Le Chiffre who informs him that the money isn't lost, and he will have it the next day. Obanno decides someone should lose an arm for this betrayal, but since Le Chiffre needs it to play cards, he decides to cut the arm of Valenka instead. It's turns out to be a bluff when he stops at the last moment, much to the delight of Valenka. Obanno tells her to find herself a new boyfriend since Le Chiffre didn't protest to her arm being cut off.
Casino Royale Movie
Back at the poker table after Bond buys back in and starts to win, Valenka slyly puts poison into Bonds drink. When Bond drinks a large amount of the drink shortly afterward, it forces him to leave the table much to Valenka's delight. This is short-lived however, when Bond returns to the table jokingly commenting that the last round nearly killed him.
Valenka is present while Bond is removed from his wrecked Aston Martin DBS, and Le Chiffre and his henchmen take Bond and Vesper Lynd to be tortured. While not actually seen on screen, it is presumed that Mr White kills Valenka before killing Le Chiffre and saving Bond.
About
Attractive blond partner of Le Chiffe, she is never very far from him. Valenka seems to have a penchant for skimpy outfits which continues throughout the film, much to the distraction of other players during the poker tournament.
A keen swimmer, Valenka is more than just pleasing eye candy however. She appears quite adapt at poisioning Bonds drink, and certainly seems to take great pleasure in watching the results take shape. §
Images
