Gibson Vulnhub’s vulnerable lab challenge · Information Security Confidential - Partner Use Only...

Information Security Inc.

Gibson Vulnhub’s vulnerable

lab challenge

Information Security Confidential - Partner Use Only

Contents

2

• About Vulnhub

• Target VM

• Test Setup

• Walkthrough

• References


About Vulnhub

3

• To provide materials that allows anyone to gain practical 'hands-on'

experience in digital security, computer software & network

administration


Target VM

4

• Target VM: Gibson

• Download the ova file https://download.vulnhub.com/gibson/gibson.ova

• Import the ova file into your favorite hypervisor;

• Attach a DHCP enabled interface to the machine and run it

• Objective

Capture the flag

https://download.vulnhub.com/gibson/gibson.ova


Test Setup

5

◎Testing environment

Linux Kali (attacker) >>> Gibson (target vm)


Walkthrough

6

◎From the attacker machine run the following command to find out

Target VMs IP address:

◎Scan the target machine IP (192.168.254.143)


Walkthrough

7

◎ Explore Port 80 in a browser


Walkthrough

8

◎ Open the found html page

◎ The page says “brute force” but there is no place where brute

force can be applied


Walkthrough

9

◎ Viewing the page-source reveals the ssh password for the user

margo; password is “god”


Walkthrough

10

◎ SSH login > user “margo” and password “god”


Walkthrough

11

◎ Check if user “margo” is a sudoer

◎ Margo can run just one command as sudoer; Command is

“convert”


Walkthrough

12

◎ Ubuntu version is 14.04; search for any privesc vulns for this

version of ubuntu

◎ Found exploit “39166.c”


Walkthrough

13

◎ Compile the exploit and transfer it to the target vm


Walkthrough

14

◎ Use the exploit to obtain root


Walkthrough

15

◎ Look for listening services

◎VNC port 5900 is open and qemu is running


Walkthrough

16

◎ Find the qemu command details


Walkthrough

17

◎ Search ftpserv machine image

◎ Found the image in “/var/lib/libvirt/images”


Walkthrough

18

◎ Copy the image to a different machine and investigated it


Walkthrough

19

◎ Use “fls” from sleuthkit to further investigate the image


Walkthrough

20

◎ Look inside the GARBAGE directory


Walkthrough

21

◎ Extract the files from it using icat


Walkthrough

22

◎ Use “fls” from sleuthkit to further investigate the found image

(flag.img)


Walkthrough

23

◎ Extract the files from it using icat


Walkthrough

24

◎ “hint.txt” file is

/* http://www.imdb.com/title/tt0117951/ and

http://www.imdb.com/title/tt0113243/ have

someone in common... Can you remember his

original nom de plume in 1988...? */

◎Which refers to the actor jonnny lee miller who in the movie

hackers went by the name "zero cool".


Walkthrough

25

◎ zero cool" doesnt decrypt flag.txt.gpg, make a wordlist and add

leetspeak (https://en.wikipedia.org/wiki/Leet) to expand it


Walkthrough

26

◎ Create a brute force script


Walkthrough

27

◎ Run it and capture the flag


References

28

• Vulnhub website

https://www.vulnhub.com

• Vulnerable VM download


• Sleuthkit

https://github.com/sleuthkit/sleuthkit

• Leet

https://en.wikipedia.org/wiki/Leet

• Leetify.pl

https://gist.github.com/kevinnz/0b808d825bccaa4fb6ee2d8d698c5c9e


Date post:	22-May-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Gibson Vulnhub’s vulnerable lab challenge · Information Security Confidential - Partner Use Only...

Documents