Information Security Inc.
Gibson Vulnhub’s vulnerable
lab challenge
Information Security Confidential - Partner Use Only
Contents
2
• About Vulnhub
• Target VM
• Test Setup
• Walkthrough
• References
Information Security Confidential - Partner Use Only
About Vulnhub
3
• To provide materials that allows anyone to gain practical 'hands-on'
experience in digital security, computer software & network
administration
Information Security Confidential - Partner Use Only
Target VM
4
• Target VM: Gibson
• Download the ova file https://download.vulnhub.com/gibson/gibson.ova
• Import the ova file into your favorite hypervisor;
• Attach a DHCP enabled interface to the machine and run it
• Objective
Capture the flag
Information Security Confidential - Partner Use Only
Test Setup
5
◎Testing environment
Linux Kali (attacker) >>> Gibson (target vm)
Information Security Confidential - Partner Use Only
Walkthrough
6
◎From the attacker machine run the following command to find out
Target VMs IP address:
◎Scan the target machine IP (192.168.254.143)
Information Security Confidential - Partner Use Only
Walkthrough
7
◎ Explore Port 80 in a browser
Information Security Confidential - Partner Use Only
Walkthrough
8
◎ Open the found html page
◎ The page says “brute force” but there is no place where brute
force can be applied
Information Security Confidential - Partner Use Only
Walkthrough
9
◎ Viewing the page-source reveals the ssh password for the user
margo; password is “god”
Information Security Confidential - Partner Use Only
Walkthrough
10
◎ SSH login > user “margo” and password “god”
Information Security Confidential - Partner Use Only
Walkthrough
11
◎ Check if user “margo” is a sudoer
◎ Margo can run just one command as sudoer; Command is
“convert”
Information Security Confidential - Partner Use Only
Walkthrough
12
◎ Ubuntu version is 14.04; search for any privesc vulns for this
version of ubuntu
◎ Found exploit “39166.c”
Information Security Confidential - Partner Use Only
Walkthrough
13
◎ Compile the exploit and transfer it to the target vm
Information Security Confidential - Partner Use Only
Walkthrough
14
◎ Use the exploit to obtain root
Information Security Confidential - Partner Use Only
Walkthrough
15
◎ Look for listening services
◎VNC port 5900 is open and qemu is running
Information Security Confidential - Partner Use Only
Walkthrough
16
◎ Find the qemu command details
Information Security Confidential - Partner Use Only
Walkthrough
17
◎ Search ftpserv machine image
◎ Found the image in “/var/lib/libvirt/images”
Information Security Confidential - Partner Use Only
Walkthrough
18
◎ Copy the image to a different machine and investigated it
Information Security Confidential - Partner Use Only
Walkthrough
19
◎ Use “fls” from sleuthkit to further investigate the image
Information Security Confidential - Partner Use Only
Walkthrough
20
◎ Look inside the GARBAGE directory
Information Security Confidential - Partner Use Only
Walkthrough
21
◎ Extract the files from it using icat
Information Security Confidential - Partner Use Only
Walkthrough
22
◎ Use “fls” from sleuthkit to further investigate the found image
(flag.img)
Information Security Confidential - Partner Use Only
Walkthrough
23
◎ Extract the files from it using icat
Information Security Confidential - Partner Use Only
Walkthrough
24
◎ “hint.txt” file is
/* http://www.imdb.com/title/tt0117951/ and
http://www.imdb.com/title/tt0113243/ have
someone in common... Can you remember his
original nom de plume in 1988...? */
◎Which refers to the actor jonnny lee miller who in the movie
hackers went by the name "zero cool".
Information Security Confidential - Partner Use Only
Walkthrough
25
◎ zero cool" doesnt decrypt flag.txt.gpg, make a wordlist and add
leetspeak (https://en.wikipedia.org/wiki/Leet) to expand it
Information Security Confidential - Partner Use Only
Walkthrough
26
◎ Create a brute force script
Information Security Confidential - Partner Use Only
Walkthrough
27
◎ Run it and capture the flag
Information Security Confidential - Partner Use Only
References
28
• Vulnhub website
https://www.vulnhub.com
• Vulnerable VM download
https://download.vulnhub.com/gibson/gibson.ova
• Sleuthkit
https://github.com/sleuthkit/sleuthkit
• Leet
https://en.wikipedia.org/wiki/Leet
• Leetify.pl
https://gist.github.com/kevinnz/0b808d825bccaa4fb6ee2d8d698c5c9e