Gibson Walkthrough

Posted on

Can you hack le Gibson?? Here is how I went about doing it and this was absolutely fun!! Loved the twist that was there.

You can find Gibson here

Quick run-down:

  1. Enumeration
  2. Kung-fu
  3. Exploitation
  4. Read flag 🙂

Exploits used:

  1. OverlayFS

Once we see who is on our net, as always, we began to enumerate our target and see what possible way we can go about compromising our guest.

Sweet! I can’t really get anything for the ssh, but after going to the webpage, you’ll see “davinci.html”. Upon examining the webpage, I come across some comments in the page source! Sweet, sweet, oh sweet, lovely comments!!

Dirb wasn’t very fruitful, as well as Nikto…but that’s ok as you can see. Damn you, Margoooo!! 🙂

Well, the only thing I could think of that would take credentials is the SSH. We have two things: Margo and god. After a few quick tries of SSH, I finally got in with “margo:god”

You might start thinking…WOW! This seems easy so far!! Let’s just keep going 😉

Knightmare mentions that it doesn’t stop after gaining root. So to keep it short, I downloaded the OverlayFS exploit to see if this version was vulnerable against it which indeed was. This machine was a 64 bit machine and didn’t have GCC to compile it. That’s ok though because you can turn your machine into a server to host our compiled exploit 🙂

We were immediately dropped into our root shell but wait…there’s nothing in root! Well, it did say this:

and also mentioned this:

Sweet…what to do now?? I had to check something after thinking of this. I issue the ifconfig command to see what that could possibly mean.

What the world? If you dont know what a “virbr0” is, it stands for “Virtual Bridge 0”. One way you can check what’s going on is by using your shell as a proxy. So I exited out of my machine, and logged back in only this time, I did so in a way to pivot 🙂 I had got pretty excited about this part because this had once beat me up and kicked my ass in Offensive Security’s PWK, and now I am using it to further compromise this guest, w00t!!

Sweet…now we can see what else is going on. We can now use our tools to attack the Virtual Bridge that we didn’t have access to before, but do now due to creating our tunnel 🙂

Before we proceed, here’s another run down about proxychains. I use Proxychains-ng because it’s newer. Newer isn’t always better, but I like new and to be perfectly honest…not sure what the differences are between this and the older version.

You will also need to look in your /etc folder to see if you have the configuration file for Proxychains. If not, a simple apt install would do the trick. Then you can modify it to your needs. I am just sticking to default port of 9050.

Ok, moving on. There has to be some interesting stuff open, huh?? Having a virbr0 and all, so I checked

PORT 5900?! THE PORT VNC USES?!?! Awesome, let’s connect and see what we have going on 🙂

Remember…

You are on a different net, so you can’t connect to it even if you tried. So, using proxychains, I use Remmina to VNC into the machine.

 

After putting the IP and port, we are presented with this lovely thing 🙂

vnc

Now this is where it got crazy for me because this was different, haha!

There were three files in the directory Garbage. Now, I had to figure out HOW to transfer these files…

After some time, and it probably took me a tad bit longer than it should have, I set up an FTP Server using some docs. In case your interested, you can find it here. This was different, but I reached my goal in getting it to work.  I edited the MTCP.CFG file to include this:

It seemed that half my battle was fighting the editor to save and exit, but again, I got it 🙂

I then created a directory to contain the ftppass.txt and ftpsrv.log, and then went to find the MTCP.CFG, which was located in DOS, and added the above to it. Another snag I hit was figuring out how to do a FREAKING BACKSLASH on my keyboard because UK, that’s why. GRRRRRRR…

This, too, took me longer than it should have to figure out. Using the editor and figuring out how to input a backslash should be on Vulnhub itself…

After doing that, all there was left was to issue the FTP command, and voila!! We have now set up our server 🙂

I happily enter my FTP server and thought I was slick, but was denied getting it because I wasn’t root…lol, ok fine then…so I get my root privs and try again. Was able to grab them and started dancing…for now.

FLAG!! Buuuuut it’s an .img, so we’ll have to mount it to see what next. I transferred it to /var/www/html, and then download it from my browser. Had to get my root privilege back so I can move it to that location. After doing so, I got straight to work on the .img file.

Interesting. So I read the hint and went to the links and it’s none other than Zero Cool who was the common factor between Hackers and Trainspotting 🙂

Going into our .trash, we find out encrypted flag!! So close, yet so. far. away.

I used John to create a list of possibilities for Mr. Zero Cool so I can hopefully brute force and find what I need to decrypt

All there is to do is HOPE that you can decrypt it with your new wordlist, and read the contents of our flag 🙂

Well, that didn’t work. Let’s try it with zerokool…

SUCCESS!! Finally, I end up with this after LOTS of output…lots:

Let’s read our flag 🙂

This VM was a pain, had some sweet turns, and wasn’t the average VM. This indeed gave the challenge of entering/exiting dos, figuring out the backslash, and cracking this file…This was fantastic!! A huge thanks going to Knightmare, w00t!!

Leave a Reply

Your email address will not be published. Required fields are marked *