Gears of War: EP#1 Vulnhub Walkthrough

Gears of War: EP#1 VM is made by eDu809. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

  • Netdiscover
  • Nmap Port Scan

Enumeration

  • Browsing HTTP Service
  • SMB Login

Exploiting

  • Using Crunch to generate a wordlist
  • Using Fcrack to bruteforce ZIP file password
  • Using Hydra to bruteforce SSH Login

Privilege Escalation

  • Reading /etc/passwd File
  • Getting SUID bit files
  • Using Openssl for generating a password hash
  • Adding  User to /tmp file
  • Reading Final Flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.

We found the target IP Address 192.168.1.184. Let’s begin with basic port scanning with NMAP.

Enumeration

For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.

Since HTTP service was not much of a help. On the other hand, we can clearly note from the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on with SMB. We logged in using the command mentioned. There is a list of shared directories. We tried accessing LOCUS_LAN$ directory and enumerated it. We find a notes.txt file and msg_horda.zip file. Let’s transfer these files on our machine to read their contents.

We tried opening the msg_horda.zip file but it seems password protected.

We thought of reading the contents of SOS.txt file and it was a success. It surely gave us a hint about the characters of the password for ZIP file.

Exploiting

It’s time to FIRE UP!! Crunch and generate a wordlist as per the combination of the password we have fetched from the SOS.txt file.

Once the wordlist is all set up, we have used FCRACK TOOL to crack the password for the ZIP file as shown below.

The password for the ZIP file is r44M. We also found a key.txt file inside the ZIP file.

After reading the key.txt file, we got another credential which could be useful for SSH login but we still need a username. Bring up HYDRA.

We have brute forced the username for SSh Login using hydra with password 3_d4y.

After successfully logged into SSH, we try enumerating the /etc directory but couldn’t because user Marcus doesn’t have the privileges to access the /etc directory.

Privilege Escalation

Since our target machine is in a bash shell. We will be using a command to force SSH for TTY allocation. This will help us run commands as an administrator. Finally, we are able to access the /etc directory.

On reading the passwd file which was not much help, but we got an idea what we can do next.

On checking the SUID bit for all the readable files under /bin directory, we came to know that the current user can use the cp command. This is going to be interesting.

Without any further waiting, we need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

Now back to our user marcus on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We have to use nano command to make an entry in the /tmp directory. After making an entry we checked the entry using the tail command. cd /tmp

Now all we to do login using username and password, we just created to get our root shell. On enumeration we found flag.txt.

Time to Read our Final Flag!!

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Security Analyst. Contact Here

4 Comments Gears of War: EP#1 Vulnhub Walkthrough

  1. Ganapathy

    nmap -A -p 43.255.154.125

    By using this first command….

    [email protected]:~# nmap -A -p 43.255.154.125
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-15 23:41 EST
    Error #487: Your port specifications are illegal. Example of proper form: “-100,200-1024,T:3000-4000,U:60000-”
    QUITTING!

    Comming like this….
    what to do sir…..?

    Reply
    1. Alain

      Hello Ganapathi,|

      Your command line is wrong at the port part.

      Try:

      nmap -A -p- IPNUMBER
      like:
      nmap -A -p- 192.168.100.60

      or

      nmap -A -p PORTNUMBER IPNUMBER
      like:
      nmap -A -p 80 192.168.100.60

      Reply
  2. mike

    Hi
    I get stock at creating usr
    i don’t know what to do in
    cd /tmp i did nano passwd and i put my password hash but when i write
    su my name it say no passwd entry for user ! can u tell me how i make it right please thanks

    Reply
    1. Alain

      Hello Mike
      They forgot 1 step:
      go to /tmp and do following:

      cp passwd /etc/

      You need to copy the passwd file you created to the /etc/passwd folder.

      Then you can switch to root user.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *