Hack the Gibson VM (CTF Challenge)

It’s a boot2root challenge and it does not get over with getting root access. You have to find flag also. So let’s start.
First of all download lab from https://download.vulnhub.com/gibson/gibson.ova
Now open kali terminal and like always start with first step i.e. netdiscover
netdiscover
it shows all the hosts those are up in our network and from here we get our target ip.

Target IP: 192.168.1.6


As our target is all set we are going to scan it with nmap which will show all the open ports. In this case open ports are only two i.e. 22 and 80.
nmap –p- -A 192.168.1.6


As from the above result we have got 80 port open so we will open target ip in browser. It shows an accessible directory. Let’s try opening it as we cannot see anything important here.


Oh no such luck with this also. It’s written the result will be found by brute force but there is no place where we can apply brute force


As we do not have any other option so let’s just go to view page source to see if we could get any clue to move further in our task. Right click on page and choose view page source. Great, we have password god for margo

Now from our nmap result we have got port 22 open which is for ssh login. So open it in kali terminal
And password is god which we got from last result. Good we have access of our lab now.


Our next step is to find the kernel version of lab and for that type
lsb_release–a
it gives that Ubuntu 14.04 is used and to get the root access of  lab, we will use the particular exploit made for this kernel version i.e. 39166. So first download it and then compile by command
gcc 39166 –o 39166
after compiling copy it to var/www/html now run the commands given below to get root access
cd /tmp
chmod 777 39166
./39166
As we have root access, finally first challenge is completed. Now it’s time to find the flag.


Now we are in root so we will download LinEnum.sh zip file to get the better access of Linux and privilege escalation. After unzipping it, move in to folder and just copy LinEnum.sh file to var/www/html. Perform the following commands with ip of kali linux
chmod 777 LinEnum.sh
./LinEnum.sh


It shows all the services running.

Here we get some interesting file which is highlighted in below image. It shows some external server is running.


Now from the process list we see something like ftpserv so we can just search based on that.
Find / -name ftpserv*
Awesome it gives us aftpserv.img file which can prove to be an useful thing.

Now I copied this ftpserv.img file for easy downloading.
Cp /var/lib/libvirt/images/ftpserv.img /var/www/html
Chmod777  /var/www/hmtl/ftpserv.img


Here I downloaded that ftpserv.img file in my kali linux.
wget http://192.168.1.6/ftpserv.img


This time I have checked the file type of downloaded file and then extracted it
fileftpserv.img
losetup /dev/loop0 /root/ftvserv.img -0 $((63*512))


It extracted the ftpserv.img  and it has some files inside it. When I opened garbage folder there I saw a flag.img file which is what we need i.e. flag.


Open garbage folder in terminal and make directory flag for extracting flag.img in it.
mkdir flag
mount –t ext2 flag.img flag
now I open flag folder and here I could see all extracted data of flag.img even hidden files also.
cd flag
ls –la
from the list of files I open .trash folder
cd .trash
ls –la
and here we can see that finally we got our flag but it’s in other file type so let’s check it
fileflag.txt.gpg
this shows that task is not completed yet and we still have encrypted flag.


Though we have our flag but we do not have key for decryption. So looking around it I found a hint.txt file of flag which probably could have key to open it. So let’s open it
cat hint.txt
Here we can see that it gives 2 links.

Now we open the above links in Firefox browser. And we get 2 movies which has only one thing in common i.e. actor jonny lee miller.



After doing Google search about these movies and jonny lee miler I came to know that in hacker’s movie he has aliases like zerocool, crash over ride etc. so by using cup software I created a dictionary. By running following command in .trash folder. Simultaneously it’s decrypting our encrypted flag also.
for x in $( cat /root/Desktop/cup/zerocool.txt) ; do
>echo [x] trying $x
>gpg –output flag.txt –passphrase $x –decrypt flag.txt.gpg
>done
At the bottom it gives that flag.txt exists.


Now again running ls command it reflects off flag.txt file which is basically our flag. So at last type the given command.
cat flag.txt
Fantastic, after all the difficulties we successfully got our flag.

0 comments:

Post a Comment