SkyDog CTF
Warning Spoilers
This walk through has all commands and decrypted flags
In this post I'll be taking a look at the SkyDogCTF from vulnhub and capture all six flags. The uploader gives us six clues to help us capture these flags:
The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533
Flag 1: Home Sweet Home or (A picture is Worth a Thousand Words)
Flag 2: When do Androids Learn to Walk?
Flag 3: Who Can You Trust?
Flag 4: Who Doesn't Love a Good Cocktail Party?
Flag 5: Another Day at the Office
Flag 6: Little Black Box
Let's dive right into this VM and capture these flags.
Port 80
Let's start by using nmap and seeing what we got:
nmap 10.0.2.4/24 -A -Pn
- 10.0.2.4/24 ---- scan the range
- -A ---- get operating system and version info
- -Pn ---- Treat all host as online
We find that 10.0.2.7 is the machine and find two ports. Both port 80 (HTTP) and port 22 (SSH) are open. Port 80 being the easiest to hit I open up firefox and head over the site. We are greeted with the SkyDog image.
Download this image and let's use the exiftool and see what information this image has:
exiftool Skydog_CTF.jpg
Looking at the information given we see that there is a XP Comment with our first flag!
Let's go ahead and search for MD5 decrypter and see if the flag gives us any clues:
abc40a2d4e023b42bd1ff04891549ae2 MD5: Welcome[space]Home
This confirms our first clue given. Now let's see if there is a robots.txt on the webpage and see what that gives us.
Navigating to 10.0.2.7/robots.txt gives us our second flag (easy enough). But this text file also gives us a list of disabled, and enabled URLs. And by list I mean one good sized list. But back to the second flag let's see what that gives us:
cd4f10fcba234f0e8b2f60a490c306e6 MD5: Bots
TOO MANY SECRETS
Again this confirms the second clue. So let's get back to this list and try out all of the URL listed. After trying out the URL, yes trying them one by one, we navigate to the /Setec page. This page has an image from the movie "Sneakers" with text on the image "TOO MANY SECRETS", whelp the next step is to download the image and use the exiftool and see if we get lucky. The information in the image showed no clues or no flags, so the next step to try is and view the source of the image. Sure enough I see that this image is coming from 10.0.2.7/Setec/Astronomy, let's take a look and see what they have in there.
Checking the source can lead you to something juicy.
The new URL leads us to an index page with one file. Whistler.zip which is password protected, time to crack this puppy open using the rockyou wordlist.
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u Whistler.zip
- -D ---- using a dictionary (make sure to download the rockyou list)
- -p ---- using string as initial password/file
Cool so we found the password to the zip file, let's open up this document and see what's inside. Inside we find our third flag! We also see another text document QuesttoFindCosmo.txt. Opening the flag text we get a MD5 hash, time to put in through the decrypter,
1871a3c1da602bf471d3d76cc60cdb9b MD5: yourmother
That's right yourmother! Well I guess you can trust your mother, referring to clue number 3. Opening the other file we get another clue, "Time to break out those binoculars and start doing some OSINT".
Time to do some Open-source intelligence. I wont go too far into what the details are in OSINT so here is the short detail. OSINT is intelligence collecting from publicly available sources. So with that vague definition I can put together some information I've gathered about this CTF.
- It's based on the movie "Sneakers" which is the most useful information.
- Research characters on the movie
- Research the plot of the movie.
With this we can go to the IMDB page of the movie and lookup both characters and the plot of the film. The last clue we received was "Time to break out those binoculars...". This clue may have to do with something that happens in the film. Without going as far as sitting and watching the movie, which I'd advise you do, we don't have time for this during a CTF session. So the next logical step would be to strip the script from the movie and use it to discover a new URL directory using dirb. First let's create the list from the IMDB page using the cewl tool:
cewl --depth 1 http://www.imdb.com/title/tt0105435/trivia?ref_=tt_ql_2 -w sneakers_imdb.txt
Now that we have list let's us the dirb tool to discover some directories:
dirb http://10.0.2.7 sneakers_imdb.txt
We can clearly see that there is a directory 10.0.2.7/PlayTronics, let's see what we find in this directory. The directory is another index page with our fourth flag! Also we find a .pcap file. Let's see what the MD5 decrypter shows us:
c07908a705c22922e6d416e0e1107d99: leroybrown
Okay so we are given a name, let's view the .pcap file which opened using Wireshark.
If you don't know what Wireshark is, it's a tool that captures network traffic and give s a detailed explanation on what's going on. It's a very useful tool, and no doubt this will be an interesting file to look over. Out 5th clue states "Another Day at the Office", which is why we are more than likely going to find what we need in Wireshark. Don't be scared of what you are seeing in this file, most of the connections are encrypted which will be useless to us, let's filter this stuff out for only HTTP which is not encrypted. In the filter filed above type in HTTP and hit the arrow to the right.
Filtering just HTTP gives two captures, and one is a GET request. Examining this request we notice that there is a .mp3 file being transferred. To extract this file go to File ---> Export Objects ---> HTTP, which prompt with a save window. Just remove everything after .mp3 as shown:
Listening to the audio we hear "Hi my name is Werner Brandes my voice is my passport. Verify me."
This could be another possible clue Werner Brandes, let's finally take a look at port 22 and see if wither leroybrown or Weener Brandes are the usernames to log in. Let's use the hydra tool to do the work for us.
Port 22
Having hydra test out our username, and even password tries, makes our lives easier. The issue with using hydra is that it can take a long time to crack using standard dictionary files. If we create a specific dictionary file using the clues we have from the flags be decrypted then we speed the hydra process of finding the username and password. First let's create the file:
SkyDog wbrandes Welcomehome bishop
skydog WenerBrandes welcomeHome setec
yourmother toomanysecrets bots Setec
YourMother TooManySecrets Bots
leroybrown ToomanySecrets mrBishop
lbrown Toomanysecrets MrBishop
LeroyBrown WelcomeHome mrbishop
wenerbrandes welcomehome Bishop
Creating this word list and saving into a .txt file we then proceed to run hydra:
hydra -t 5 -V -f -L skydoglist.txt -P skydoglist.txt 10.0.2.7 ssh
We have out username and password for port 22, let login and get our final two flags. Logging in we discover what folders are available and we find our 5th flag!
82ce8d8f5745fff6849fa7af1473c9b35: Dr[space]Gunter[space]
No to our last flag, which after looking around we realize that the current user we are using doesn't have root access. This is where I'm thrown off, I'm not to knowledgeable in privilege escalation, so it's off to google. Or in my case I looked at another walk through and found that they had found a python script that was editable:
nano /lib/log/sanitizer.py
editing this file and adding the following will give us a shell:
import OS
import sys
try:
os.system('chmod u+s /bin/dash') ##<------ change
except:
sys.exit()The following command will execute the shell:
watch -n1 'ls -lah /bin/dash'
after executing hit ctrl+c and then add the following:
/bin/dash
From here we have root access, then proceed to find the last flag
We have out last flag!
b70b205c96270be6ced772112e7dd03f: congratulationsYoudidit
This leads us to a final url 10.0.2.7/CongratulationsYouDidIt which is small clip from the movie "Karate Kid".
Taking in all I've done and giving in at the last flag I still feel pretty good about myself. I still have a lot to learn when it comes to privilege escalation, but I think I did well on finding all five flags without help. Hope this walk through guides you when you get stuck. But like always don't give up and try harder!