This VM, provided by VulnHub

Flags: There are 7 flags that should be discovered in form of: Country_name Flag: [md5 hash]. In CTF platform of the CTF-USV competition there was a hint available for each flag, but accessing it would imply a penalty. If you need any of those hints to solve the challenge, send me a message on Twitter @gusu_oana and I will be glad to help.

About: CTF-USV 2016 was the first International Students Contest in Information Security organized in Romania by Suceava University. Security challenges creation, evaluation of results and building of CTF environment was provided by Safetech Tech Team: Oana Stoian (@gusu_oana), Teodor Lupan (@theologu) and Ionut Georgescu (@ionutge1)

 

After running the USV vm the first thing I did was to find the IP address has assigned from the DHCP using netdiscover

 

Next step was services fingerprint and port scanning with nmap

 

from the result we can see the running services as the hostname also.
As a not Game Of Thrones fun at this point the hostname mean nothing to me

Ok, the first thing I did was to visit the web server that runs in port 80 waiting to see a website, but a wall hit’s me in the face 😛

 

The first that comes to my mind was to run a web proxy to see if there is anything interesting in the header, and I was right.

FLAG(1):

 

After that I run Dirbuster with no interesting results, next I run Nikto and fails again.

I must missing something for sure….
…. remember that Squid proxy we find with nmap? Lets try to add that as a proxy and try Nikto again.

Success with a blog directory as a new result

Ok lets add the Squid proxy as our web proxy also and navigate to the blog directory. Everything looks  better now.

 

The interesting part at this point is the Post named “I have a message for you”

 

HODOR !!! I was not sure at this point where this can help , so I tried different things but failed (metadata, source-code) until trying to use it as a directory and I got a zip file.

 

Unzip the file and got a new image with the second flag.

FLAG(2):

 

 

Obviously I miss-type something on the decoding but I was to lazy to fix it. For me that was enough as prove. After that I navigate further to the site until i found a locked content

Ok , now I need a password ? I was thinking about where to look for that and I thing there was not a better place than the site it self. So I run Cewl to create a password list. I load that list to Burp Intruder and got the content unlocked.

FLAG(3):

 

“The mother_of_dragons has a password which is in front of your eyes”
Hmmm, at this point I was thinking about WordPress Admin panel (was in default path).
I did try to login with username mother_of_dragons and password as password but failed. I tried with “in front of your eyes” as password and failed again. So obviously that credentials was not for the admin panel.
Next thing I tried was the ssh service but I got the 4th flag at the banner.

FLAG(4):

 

 

So, I dont believe that ssh has to offer more than that and I still had some credentials to use. Next step was the ftp service and I was right.
Inside the ftp was 2 files (1 hidden)

 

 

Ok, now it gets more interesting and this is the part where I connect the CTF with the Game Of Thrones series lol 😛
After googling I found out the names of Daenerys childrens.

Tried to login to the WordPress using their name and after some mixing up I was in.
The next flag was under Daenerys Bio

FLAG(5)

 

Whats next, there is 2 more flags ? I decide to upload a reverse shell and get a shell on the box.

 

I start navigate to most “common” path, looking for files with root privileges and so on. Under the http user path was all the juice info and the 6th flag also

FLAG(6):

 

There was an executable file also “winterfell_messenger” owned by root tried to run it but failed as I except

 

The message was a clue for me and make it clear what my next step will be. The binary file tried to read the message.txt file under root directory but it use relative path than absolute path instead ?
So, what if I try to manipulate the Path environment adding a file to tmp  named “cat” with “/bin/bash” as a content and added also to the Path environment ?

 

At this point I miss a “/” in “/bin/bash” so it didn’t work, but it works after the fix.

Fix :

 

So right now I should be able to execute the winterfell_messenger binary

 

Root !!
Time to read the last flag.

FLAG(7):

 

 

Thats it for now , it was a fun challenge
Thanks to Vulnhub  for hosting those CTF’s!!!