CTF-USV 2016 was created by Suceava University. There are 7 flags that should be discovered in the form of: Country_name Flag: [md5 hash]. We hosted the VM in virtual box and ran nmap on its IP address:
From nmap, we found HTTP is running on port 80, and we tried to access, but it was showing access forbidden.
We configured the port 80 from burp proxy for bypassing the restriction by changing the user agent, but eventually, we found out the first token in response.
We decoded the base64, and we got the Croatia flag.
Now we moved to SSH port, and we connect it, and we found the second flag in SSH banner, but it was encrypted.
In the dragon image, there was a hint for decrypting the flag which was AES-ECB encryption with the key. We used the only tool for decrypting the flag, and we got our Italy flag in plain text.
From nmap result we found squid proxy on port 3129, we configured the proxy on our browser.
After that, we tried to access the port 80 from the browser, and we found a web application on it.
Let’s fuzz the directory but before that we first configure the squid proxy on dirbuster.
Moreover, we start the fuzzing, and it seems that it is a WordPress based site.
We start browsing the site, and we found something interesting hint and as every GOT watcher knows hodor only speaks HODOR.
We tried accessing the directory as hodor, and we found a zip file.
In a zip folder, we found an image with a base64 flag.
After decoding it, we found the Portugal flag.
In the same blog, we found one more post which was password protected. We fired bruteforce by using the RockYou wordlist but didn’t found the correct password.
We generated a word list dictionary based on words on a website by using cewl tool by using the following command: cewl –w wordlist –d x <target> –proxy_host <target> –proxy_port 3129
After generating the word list, we again brute forced it, and we found the correct password which was “Westerosi.”
In the post, we found the base64 flag, and we decoded it and found the Paraguay flag.
In that same protected post there is message” The mother_of_dragons has a password which is in front of your eyes” it seems the mother_of_dragons is the username. That’s why the underscore is there, and the password will be “in front of your eyes” but what type of credential is this where we will login? Now we tried accessing all other ports, and we found FTP on port 21211, and we were able to log in by using that credential.
In FTP directory we found a readme.txt, and we opened the file. The content of this file is “I keep a hidden note for myself.” A hidden ‘note.’
In the note, we found hint related to the WordPress login credential which seems to be the three dragon names of Khaleesi.
Next step is to login into WordPress with the user: mother_of_dragons and the password composed of her children’s names “DrogonViserionRhaegal.”
In Daenerys’ profile, we found the fifth flag.
After decoding the base64, we got our Thailand flag.
Now we edited on the page source code and replaced with the PHP reverse shellcode.
After saving the file, we executed the page from the browser, and we got reverse shell connection on netcat listener.
We start browsing all directory, and inside srv/http directory we found the reward_flag.txt file on which we found our sixth flag.
After decoding the base64 value, we got the Mongolia flag.
Also in /srv/http/ folder, there is a file named winterfell_messenger, which is owned by root and has setuid bit set. We tried to run this binary to see what happens:
By analyzing the binary with strings tool and observe that it uses the cat command to read /root/message.txt file. The interesting thing is that cat is used with a relative path and not with absolute path. This means that we might manipulate PATH environment variable, create a file named “cat” with some arbitrary commands in it, and execute it as root
Now we can run commands as root user.