Vulnhub:USV-CTF

Back again, this time with having done the USV-CTF, which was fun and definitely challenging to get all 7 flags. So lets get into it.

I started of by doing my usual scan with nmap.

As you can see, their are a bunch of ports open:

  • 22 ssh
  • 80 http
  • 3129 http-proxy (why does a web server need a proxy?)
  • 3306 mysql
  • 4444 ftp
  • 21211 ftp

Accessing the webpage gives us a forbidden page, inspecting the page gives us nothing as well.

Trying to connect to the database wouldn’t take either. So far I’m getting nothing, so now I try to connect to the server via ssh. Whats this? A dragon?

wDOW0gW/QssEtq5Y3nHX4XlbH/Dnz27qHFhHVpMulJSyDCvex++YCd42tx7HKGgB is an encrypted text in AES using ECB mode with the key xxxxx0000000xxxxxx  (http://aesencryption.net/). Boom my first flag of the challenge Italy Flag: 0047449b33fbae830d833721edaef6f1

After searching around for a while, I decided to fire up burpsuite and take a look at the headers for the site. In the X-XSS-PROTECTION header is the second flag (Q3JvYXRpYSBGbGFnOiAwYzMyNjc4NDIxNDM5OGFlYjc1MDQ0ZTljZDRjMGViYg==) Croatia Flag: 0c326784214398aeb75044e9cd4c0ebb.

Time to back track a little, why is there a web proxy for this site? Then it hit me, use it as a proxy server. So in kali I added the proxy to the network (in the proxy settings) and had all the traffic go through the new proxy. Now I accessed the site and boom.

Ok so its a game of thrones inspired CTF. Firing up nikto and scanning the site reveals a bunch of stuff. Most importantly /blog/wp-login.php. Ok so we are dealing with a wordpress site. 

So lets go to /blog and see whats there. This takes you to a blog with a bunch of posts. Browsing through them until i came across the ‘I have a message for you’ post. Hmm ok, looking through the post reveals nothing, but hodor is highlighted so maybe its a username or directory?

Going to /blog/hodor reveals a hidden page with a link.

Downloading the file gives you a zip file with an image in it. Extracting it gives the third flag (UG9ydHVnYWwgRmxhZzogYTI2NjNiMjMwNDVkZTU2YzdlOTZhNDA2NDI5ZjczM2Y=) Portugal Flag: a2663b23045de56c7e96a406429f733f

.

Browsing through the site again, I came across a password protected post.

Using the cewl tool to generate a password list from the website. Here I had to cheat a little as I couldn’t get a password cracker to crack the password, which is Westerosi. The fourth flag is here (UGFyYWd1YXkgRmxhZzogNDc2MWI2NWYyMDA1MzY3NDY1N2M3ZTYxODY2MjhhMjk=) Paraguay Flag: 4761b65f20053674657c7e6186628a29.

Hmm this page has a nice little clue, ‘The mother_of_dragons has a password which is in front of your eyes’. mother_of_dragons seems like a username, this site has a login page (/blog/wp-login.php). The password for the username in front of your eyes. Trying this on the login page got me nowhere. So what else can I use this for? Ahhh yes ftp login. ftp <ip> 21211 with the username and password mentioned above. listing the directory will show you two files readme.txt and note.txt (which is hidden). Opening the readme.txt file says theres a hidden file (note.txt).

Open the note.txt file.

Hmm ok, if your a fan of game of thrones then you will know that Daenerys doesn’t have any children but three dragons,  Drogon,Viserion,Rhaegal. So the password must be a combination of these. Back to the blog there is a post by Daenerys, clicking on that post and looking at the url gives you the wordpress username mother_of_dragons. Now onto the wordpress login page, using wpscan to bruteforce the page, the password ended up being RhaegalDrogonViserion. Now that we are in the control panel for the wordpress site, time to snoop around.

After a while of snooping I came across the fifth flag in the user profile for Daenerys (VGhhaWxhbmQgRmxhZzogNmFkNzk2NWQxZTA1Y2E5OGIzZWZjNzZkYmY5ZmQ3MzM=) Thailand Flag: 6ad7965d1e05ca98b3efc76dbf9fd733.

Now onto the 6th flag. Using the pentestmonkey reverse shell (basic set up can be found in my mr.robot walkthrough). After getting a reverse shell and poking around for a while I couldn’t find anything until I cd ~ (http user home) and ls -alt revealed reward_flag.txt which gives you the sixth flag (TW9uZ29saWEgRmxhZzogNmI0OWMxM2NjY2Q5MTk0MGYwOWQ3OWUxNDIxMDgzOTQ=) Mongolia Flag: 6b49c13cccd91940f09d79e142108394.

Now onto the home stretch. The winterfell_messenger file has a set group id permission, which immedidately reminded me of the pwnlab challenge which had the same thing. This should give us the permissions  of the file creator, which in this case is root. Executing the file gives a no such file or directory error. So basically we have to create a fake cat file that will execute the file. To do this echo “/bin/sh” > /tmp/cat, chmod 777 /tmp/cat to make it executable and now add the path to the PATH variable export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin. Executing the file gives us root.

ls -alt the directory to reveal all the files gives us the seventh flag (U29tYWxpYSBGbGFnOiA0YTY0YTU3NWJlODBmOGZmYWIyNmIwNmE5NThiY2YzNA==) Somalia Flag: 4a64a575be80f8ffab26b06a958bcf34.

However you can’t just use the cat command because we altered it, now we have to call of cat directly by using /usr/bin/cat .flag.txt.

And that’s it for this challenge. Thanks for reading.

 

Author: moxley91

Gate keeper of alexsemaan.xyz

Leave a Reply

Your email address will not be published. Required fields are marked *