Welcome to my first Vulnhub walkthrough! Today, I’ll be going over how I solved Gibson: 0.2 by knightmare. It’s a boot2root/CTF and can be found here: (Gibson: 0.2)

Let’s begin.

First, let’s nmap the VM. I’m not worried about being stealthy so a -A should suffice.

We see that we have ssh and a web server running on default ports. Pretty standard.

Going to the website, we get an index that leads to one file named “davinci.html”. It displays a cryptic message: “The answer you seek will be found by brute force”. Hmm. Good hint to remember. Having done enough CTFs in the past, I make sure I view the page source.

Of course! If you haven’t picked it up by now, Gibson, Da Vinci, Margo, Eugene… It’s all references to the cult classic Hackers! In the movie, the 4 most common passwords are “love”, “sex”, “god”, and “secret”. Margo and god seem to be a good ssh username:password combination. But before I try that, let’s make sure we thoroughly enumerate the website to make sure we don’t miss anything.

I tried both nikto and a neat python tool called dirsearch that brute forces websites for common directories and files. I plan on making a future post about dirsearch since it’s proven incredibly useful in most vulnhubs I’ve solved in the past.

However, there doesn’t seem to be anything else that I could find. Let’s try the ssh route with margo:god.

Cool. Now that we have a shell, I do a host survey of the VM. Doing some basic recon, I found users margo, eugene, and duke. I didn’t find anything eye-popping in their home directories. Eugene has a executable called “spin64”. I don’t remember where I’ve seen it before, but I know it isn’t anything useful.

I tried seeing what commands margo can run with a sudo -l.

It didn’t know it at the time, but this hinted that the VM is vulnerable to the recent ImageTragick exploit. However, I managed to solve the CTF without using it. I plan on revisiting this VM later to learn more about ImageTragick, but let’s continue.

——————————————–

UPDATE: I learned how to use the ImageTragick exploit to easily gain root with margo and wrote about it in another post. Click here if you would like to read about it. Otherwise, keep reading. It’s solvable without ImageTragick either way.

——————————————–
Knowing that margo used “god” as her password. I tried seeing if the 4 common passwords worked for any other users. Sure enough, after some trial an error, I found that eugene used “secret” and duke used “love”. Just like margo, I also checked to see what they could run with sudo.

Looks like duke isn’t interesting. However, eugene can access virt-manager which hints to a VM within a VM. More interestingly, eugune can access visudo which means I can edit visudo to give eugene full sudo which is the equivalent of having root.

It’s not necessary at this point since you can just sudo with eugune, but if you’ve followed me this far, try a sudo su as proof of gaining root 🙂

Now the real fun begins. Earlier we saw that there was a VM that we should be able to access based on the fact that virt-manager is installed and was something eugene could run. We were also provided the following hints from knightmare.

Once again, I’ll offer some hints to you:

  • SSH can forward X11.
  • The challenge isn’t over with root. The flag is not where you expect to find it

This means that we can forward X11 so we can run virt-manager in a GUI. This can be done if you use -X as an ssh option. However, trying to ssh directly as eugene proves a problem.

There probably is something in the ssh configuration blocking eugene. Nothing we can’t fix. With eugene’s sudo powers, we can go into /etc/ssh/sshd_config to see the problem. At the very bottom we can see that only margo was allowed to ssh with a password and not need an SSH key. Adding eugene should fix this.

I also edited /etc/passwd to give eugene bash when I log in.

Restart the ssh service and you should know be able to log in with eugene while forwarding X11.

With X11 being forwarded, simply run virt-manager &. You’ll see virt-manager with one running VM named ftpserv.

VM running inside Gibson

Double clicking on the VM pops up a machine running FreeDOS. I surveyed our new target and in C:\GARBAGE (another reference to Hackers), I found a image named FLAG (getting close!), a jpeg named ADMINSPO, and an ANS file named JZ_UG.

The files are in the computer!

Having never used DOS in my life, I spent a bit of time trying to figure out what I could do to get the files out of the VM. I found out that the program mTCP gave FreeDOS the ability to use FTP, among other things, and would be one way to transfer the files. I set up FTP on the gibson by installing vsftpd with eugene and made some edits in the config file. Pretty standard FTP set-up, but if you need help, leave a comment and I’ll point you to the right direction! Here is a link that can help in the meantime. The most important thing to remember is to make sure you edit /etc/vsftpd.conf to enable local users the ability to log in and write.

With that set up, you should be able to use ftp [Gibson’s IP] on the FreeDOS VM. Use eugene’s creds to login in and do a simple PUT command on all three files to send to the Gibson VM.

FTPfileTransfer

You can transfer those files with either scp or start python’s SimpleHTTPServer to get it to your kali VM (or whatever you work with). Anyway, let’s see what we’re working with.

I did a cat and strings on JZ_UG.ans.

It didn’t give me much. Though I’m still curious to what this is so if anyone can make it readable, please let me know.

Opening up the jpeg shows the following. It’s a reference to the movie Trainspotting which will come to play in a bit.

I do both a strings and exiftool on it to see if we can find any metedata.

More hints! We seem to be good with the VM it’s hinting to. The CVE is the ImageTragick I mentioned earlier. I spent quite a bit of time trying to understand how the exploit came into play when I first saw this, but at this point I didn’t need to use it. The last line is important though.

In Trainspotting, the man who knew a lot about Sean Connery was Sick Boy who was played by Jon Lee Miller. The second half, is referencing to Dade (a.k.a Zero Cool, a.k.a Crash Overide) from Hackers. He caused a 7 point drop in the NYSE in the very beginning of the movie. Neat. I’m sure that’ll come into play in the future.

Finally, let’s take a crack at the FLAG.img. I figured I’d mount it.

In the img we see some interesting files including the flag which seems to be protected by gpg.

The davinci files are just a game of snake that you can play in the terminal. Nothing to see there.

The hint has a link to the IMDB sites of Hackers and Trainspotting.

We’ve already figured that Jon Lee Miller was in both movies and the image file found next to the flag has a image from Trainspotting with Miller in the center of it to help provide another hint. “Non de plume” means pen name (or handle). In Hackers, Miller’s character’s handle was ‘Zero Cool’. That has to be the password for the flag.txt.gpg. However, it doesn’t seem to work. I then remembered the first hint found in the web server: The answer you seek will be found by brute force.

I figured it’s probably a derivative of his handle. John The Ripper has the ability to make a word list of derivatives based on rules you pass it.

I start by making a text file with the basic variation of his handle. I also added cool with a “k” in case knightmare was trying to be extra tricky.

Running the first command below through john will make a list of all derivatives of the words (lower and upper). The second command runs it with rules from KoreLogic which will take the wordlist we just made and add the L33t speak version of said wordlist.

Now I just need a script to help me brute force the gpg file. With the help of the Internet, I crafted the following in python: gpgBruteForce.py

I let my script rip and after a few minutes it says a password worked: Z3r0K00l

I try it out and sure enough it works!

Awesome! I had a real fun time with this VM. The references to Hackers was a neat spin. I’ve previously solved Droopy (knightmare’s first VM) and I’m looking forward to future VMs by knightmare.

Anyway, I appreciate you checking out my walkthrough. I’m always looking to improve my skills so if you have any recommendations on ways I could have done something better or just have a question, leave a comment below.

Thanks and Hack the Planet!

Vulnhub Walkthrough – Gibson: 0.2
Tagged on:                             

One thought on “Vulnhub Walkthrough – Gibson: 0.2

Leave a Reply