Ivana Milicevic played by Valenka
Born in Sarajevo, Bosnia and Herzegovina on 26th April 1974
Casino Royale – (Film 2006). (To Valenka) You should find a new boyfriend. Casino Royale – (Film 2006) Le Chiffre: You've taken good care of your body. Ivana Milicevic On Playing Valenka In Casino Royale In day two of The Sun ‘s ‘007 week,’ Bond girl Ivana Milicevic, who plays the villainous Valenka in Casino Royale has spoken about her role. ‘Being a Bond girl is very physically challenging. Full Cast & Crew: Casino Royale (2006) Cast (93) Daniel Craig. James Bond Eva Green. Valenka Tobias Menzies. Villiers Claudio Santamaria. Carlos Sebastien Foucan.
Starred in Casino Royale (2006)
Valenka is first seen wearing a skimpy swimsuit climbing the ladder of the yacht owned by Le Chiffre, moored somewhere in the Bahamas.
Later when Steven Obanno learns of Le Chiffre losing his money, he pays Le Chiffre a visit in Montenegro. When Le Chiffre returns to his suite, Valenka is standing on the balcony where she says she’s sorry just as Obanno appears and attacks Le Chiffre. Filled with rage Obanno strangles Le Chiffre who informs him that the money isn’t lost, and he will have it the next day. Obanno decides someone should lose an arm for this betrayal, but since Le Chiffre needs it to play cards, he decides to cut the arm of Valenka instead. It’s turns out to be a bluff when he stops at the last moment, much to the delight of Valenka. Obanno tells her to find herself a new boyfriend since Le Chiffre didn’t protest to her arm being cut off.
Back at the poker table after Bond buys back in and starts to win, Valenka slyly puts poison into Bonds drink. When Bond drinks a large amount of the drink shortly afterward, it forces him to leave the table much to Valenka’s delight. This is short-lived however, when Bond returns to the table jokingly commenting that the last round nearly killed him.
Valenka is present while Bond is removed from his wrecked Aston Martin DBS, and Le Chiffre and his henchmen take Bond and Vesper Lynd to be tortured. While not actually seen on screen, it is presumed that Mr White kills Valenka before killing Le Chiffre and saving Bond.
Attractive blond partner of Le Chiffe, she is never very far from him. Valenka seems to have a penchant for skimpy outfits which continues throughout the film, much to the distraction of other players during the poker tournament.
A keen swimmer, Valenka is more than just pleasing eye candy however. She appears quite adapt at poisioning Bonds drink, and certainly seems to take great pleasure in watching the results take shape. §
Checkout SlayerLabs.com!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -
CasinoRoyale is another Boot2Root machine I’ve built targeted towards WebApp exploitation. I’ve received questions on prior B2R machines - specifically upon initial release, so decided to make an “official” walkthrough as this box has many steps. Located on vulnhub or google drive.
I’m sure there are additional ways to get root, so feel free to get creative. This box is targeted towards AppSec, along with shell and permission manipulation.
Note: Normally I’d be doing quite a bit more enumeration, but in this case I know what’s necessary to get root.
Upon an initial scan…
It looks like FTP, SMTP, HTTP and another unique port or 8081 is open. Be sure to investigate any entries on robots.txt - some may be interesting..and some may be red herrings.
Using curl and dirb we investigate port 80 and 8081
Port 8081 contains PHP running something in collect.php, no hits on dirb - we’ll be putting this on the todo list. Port 80 contains quite a bit of directory hits including index.php. Investigating a bit it seems like a Poker tournament leaderboard - including some familiar characters.
First, note the info mentions to use the domain of: casino-royale.local vs the ip. Update your /etc/hosts file to match this request (which may be needed for future exploits ;-)
At the bottom of the page a juicy chuck of info is found - Created with PokerMax Poker League Software. Running a quick searchsploit query brings up a compatible exploit:
Looks like this web app is vulnerable to Insecure Cookie Handling, which would allow anyone to login as Admin. Steps seem simple enough, go to casino-royale.local/pokeradmin/configure.php
enter the following string into the url:
Then go back to casino-royale.local/pokeradmin/configure.php
and you should be logged in as admin. Simple right? Ok GO!
After clicking around investigating the admin gui, a hint is found within the profile or user: Valenka. The hint contains a new URI. Side note - it may be possible to inject some malicious PHP code into any of the fields present in the browser, depending on how sanitization is handled.
After following the URI in Valenka’s profile, it seems we’re directed to a company blog. Clicking through the blog posts, dropdowns, etc, it’s discovered the CMS is SnowfoxCMS and the CMS admin has an email of valenka@casino-royale.local.
Doing a quick search for snowfox exploits, one appears as a Cross-Site Request Forgery that will add an arbitrary user as Admin.
With CSRF’s we need user interaction, specifically a Snowfox CMS Admin to go to our malicious link and click a button. According to a blog post, admin user Valenka checks her email for new clients and looks into any relevant links.
So there is “a user” opening email, clicking links and form submit buttons (cough cough).
We’ll copy the exploit, alter a few variables and host it on our kali apache server. Then send an email to valenka with our malicious link in the body. We’ll make sure to include a known reference in the subject line as requested. That way it won’t look like spam and “the user” should just click on random links in emails right?
Altered exploit:
Sending mail via telnet:
Tailing apache access log, gets a valid hit:
Now we’ll try to login as our new user, and boom admin:
Clicking around again, something juicy is found in Le’s profile - a new URI! Note: Using Snowfox to upload malicious files to get shell may be an other vector. I haven’t dug into that option though.
Following this new URI, we’re brought to a simple page which, after investigating the source, looks like a possible XXE vulnerability. Lucky for us, the PHP code is in the comments. Using POST requests a user may be able to read from the file system.
Checkout this thorough guide into XXE - which basically outlines the exploit. After creating a bogus file, with the needed parameters which also includes a request to read file:///etc/passwd
we run curl against this page to include the bogus file…
And we see the /etc/passwd file. Also another bit of info is located on main.php - the custom FTP account has a simple password. After checkout the /etc/passwd file we see a unique user:
Let’s see what port 21 can offer us….
Running hyrda against FTP using the newly found username, a password is found.
Logging into FTP looks like we’re in a web directory. From here a shell can be uploaded, but are there restrictions on file types? Yes! And after a bit of testing, it looks like perl and cgi files types are allowed. Using the PUT
command a cgi webshell is placed in this FTP we directory.
Testing this new shiny webshell out, we see it works:
From here a reverse shell can be uploaded using any file type using wget. I’ll create a python reverse shell on my local Kali box, then wget get from the cgi webshell, change permissions, create a listener and execute it.
Now giving it permissions, and executing it, a initial shell is obtained.
At this point I’d usually be running enumeration scripts, poking around for something interesting, but in this case I’ll be locating that juicy php file found on port 8081 from our initial scan.
An interesting directory. Navigating to it, plenty of unique files with permissions are all over the place - specifically a SUID permission on a binary file: mi6-detect-test
The initial goal will be bump up privs to user le which can be done after noticing collect.php is executing a file we (www-data) have permissions to write to: casino-data-collection.py
So, after clicking the collect.php (owned by le) button, it will actually execute the python script(we have write perms to), outputing results to the browser. Easy right?
I’ll choose another python reverse shell. The collection script will wget my reverse shell, update permissions, then execute.
Now we have a little more visibility into these files, specifically: closer2root.txt and run.sh. looking into run.sh we see it’s a home made script to check a few running resources on the system.
Testing this SUID binary, it looks like it’s just running the run.sh script, which we now have write access to. So just like the last hack, we can edit run.sh to contain another reverse shell or any system command as root. Since we already have 8 billion shells open, why not add another one?
This time a simple reverse bash shell will be added to run.sh, then execute mi6_detect_test as le.
Great, root is had.