Hack the Gibson VM (CTF Challenge)

Hello friends!! Welcome to our next CTF challenge of the vulnhub called “Gibson” which is a boot to root challenge with ultimate goal to get the Flag and finish the task. This VM is design to test your penetration testing skills by spawning the root shell of this machine which is weak configured and author has asked to find the hidden flag through privilege escalation. You can download it from the given below link. I found this lab more interesting as it has involved cyber forensic in it to get the final flag.

Download it from here: https://www.vulnhub.com/entry/gibson-02,146/

Penetration Methodology

  • Network Scanning (Netdiscover, Nmap)
  • Abusing HTTP service for username & password
  • Spawning Pty shell SSH (Metasploit)
  • Privilege Escalation via Kernel exploit
  • Uploading LinEnum script
  • Obtain disk image
  • Forensic Analysis for extracting hidden flag.img
  • Decrypt GPG encrypted file using leet encoded value
  • Capture the Flag

Let’s start off with scanning the network to find our targets IP.

As our target IP is 192.168.1.100, now move to network enumeration and for this we are going to scan network IP using nmap which will show all the open ports.

In this case open ports are only two i.e. 22 and 80 moreover it has found an html file.

As from the above result we have got 80 port open so we will open target IP in browser.

It shows an accessible html page. But when we try to open it, we cannot see any crucial information here. It’s written the result will be found by brute force but there is no place where we can apply brute force.

As we do not have any other option so let’s just go to page source code to see if we could get any clue to move further in our task.

Ohhh!! Great, there is something which is connecting to username and password, as per my prediction here god could be the possible password and margo could be the username.

Now from our nmap result we saw port 22 open for ssh login. So let’s try to login into ssh using above found credential and for this we will be taking help of Metasploit framework. By using the following module we can gain meterpreter session, once get successfully exploit.

Hmm!! That’s great we have compromised the target machine, and you will love to see that the default opened session is command shell session and further we had upgrade into meterpreter session. And then run “sysinfo” command to identify system architecture.

As it was Ubuntu 14.04 (linux 3.19.0-25-generic) so I search in Google for its kernel exploit for privilege escalation.

Luckily, I found this kernel was badly affected by Overlayfs – A Local Privilege Escalation. Superb the metasploit has in-built module for this exploit.

Here again you will love to see that the default opened session is command shell session and further we had upgrade into meterpreter session.

Now let’s upload LinEnum which is a scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.

To more about LinEnum script visit given below link:

https://www.hackingarticles.in/linux-privilege-escalation-via-automated-script/

Here we get some interesting file which is highlighted in below image. It shows some external server is running.

Now from the process list we see something like ftpserv so we can just search for file based on that.

Awesome it gives us “ftpserv.img” file which can prove to be a useful thing, let’s download it in our local machine with the help of following command.

So let’s check out what type of file it is?  With the help of file command, it shown the complete detail of the image file and hence by this, we came to know that this image file belong to partition boot sector that contains all information of file system uses to access the volume.

Now let’s find out partition table of the device along with give sizes in sector with the help of following command

Wonderful! It is a FAT16 file system and as we have enter into forensic phase, therefore you should have a little knowledge of cyber forensic. So we are going use Sleuth kit which is a command line forensic analysis tool kit to extract List file and directory names from this image with the help of following command.

Hmmm!! Here I found something very interesting a “garbage” folder, let’s explore this by executing below command.

Awesome!! It was good to see an image file “flag.img” along with its inode number. An inode number holds metadata and I’m pretty sure that we will tacked that information from inside the flag.img. Let’s extract all content of ftpserv.img in flag.img and then mount it.

Booom!! Here I saw the very interesting file “hint.txt” which is holding two links.

So when I visit both link then I found “jonnny lee miller” is common character in both links and in hacker movie he is called by “zero Cool”.

Then we explored more and found the hidden directory /.trash which holds and encrypted file flag.txt.gpg but “zero Cool” wasn’t the correct passphrase and it tooks almost whole day to decrypt it.

At last I thought from the hacker’s vision and encode the “zero Cool” into leet function but unfortunately I was unable to decrypt the encrypted file with the help of Z3r0C00l.

But finally, obtain the correct passphrase Z3r0K00l by replacing C alphabet from K and execute the following command to decrypt gpg encryption.

Hurray!! We successfully decrypted the file and obtain flag.txt file. 

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *