This post covers the first part of the Game of Thrones CTF 1 provided by Vulnhub. The CTF contains 11 flags in total (7 kingdom flags, 3 secret flags and one battle flag). The flags will be a md5 hash.
Please notice that this walkthrough might contain SPOILER to the actual series and as usual, if you have not solved this challenge yet, then try it first on your own!
I always start with discovering the host. For this I usually use the
root@kali:~# netdiscover -r 192.168.56.0/24 -i eth1 Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 **:**:**:**:**:** 1 60 Unknown vendor 192.168.56.100 **:**:**:**:**:** 1 60 PCS Systemtechnik GmbH 192.168.56.101 **:**:**:**:**:** 1 60 PCS Systemtechnik GmbH
Since I know my system, 192.168.56.101 is the target machine.
Next I need to find out what open ports there are, so I use a very basic
nmap-scan to figure this out.
root@kali:~# nmap 192.168.56.101 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-27 10:34 CEST Nmap scan report for stormlands.7kingdoms.ctf (192.168.56.101) Host is up (0.00078s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 143/tcp filtered imap 3306/tcp filtered mysql 5432/tcp open postgresql 10000/tcp open snet-sensor-mgmt Nmap done: 1 IP address (1 host up) scanned in 42.71 seconds
There are quiet many open ports. I usually start with the
http service (if there is any).
Flag 1 – Dorne
The main webpage only shows a Game of Thrones background and plays the typical title song. Having a look at the source code however, reveals useful hints
The two main hints in this source are:
“Everything can be TAGGED in this world, even the magic or the music” – Bronn of the Blackwater
“To enter in Dorne you’ll need to be a kind face” – Ellaria Sand
The first hint made me aware of the two different audio files that are loaded. So I downloaded both of then and listened to them. They simply played the title song. However, the keyword TAGGED made me suspicious and I examined the files a bit more.
root@kali:~#exiftool game_of_thrones.mp3 ... Comment: Savages secret flag: 8bf8854bebe108183caeb845c7676ae4 ...
So this is not the flag of Dorne, but the first of three secret flags. I have also examined the other file, but there was nothing special about, so I started examining the static (css and js) files. They contained three more hints:
“Music reaches where words can’t. It’s known even for the animals” – Catelyn Stark
“You’ll never enter into King’s Landing through the main gates. The queen ordered to close them permanently until the end of the war” – Tywin Lannister
“If you put a city under siege, after five attacks you’ll be banned two minutes” – Aegon the Conqueror and His Conquest of Westeros Book
However, they only refer to the banning when one tries to bruteforce passwords. Since this has been all I found in the source code, I decided to run some scans on the host. Luckily,
uniscan gave some useful information.
root@kali:~# uniscan -u 192.168.56.101 -qweds ... =================================================================================================== | | Check robots.txt: | [+] User-agent: Three-eyed-raven | [+] Allow: /the-tree/ | [+] User-agent: * | [+] Disallow: /secret-island/ | [+] Disallow: /direct-access-to-kings-landing/ | | Check sitemap.xml: | [+] http://192.168.56.101/index.php | [+] http://192.168.56.101/raven.php =================================================================================================== ...
There are some new folders which we can examine, so let’s visit them.
/the-tree/ shows an image of Jon Snow when he was stabbed. Having a look at the source-code revealed another hint:
“You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven” – Written on the tree by somebody
It is very suspicious that there are some capital characters. Reading only those says “USERAGENT”. This and the result of
uniscan brought me to change the User-Agent to “Three-eyed-raven”. Using BurpSuite to change the User-Agent revealed another site under
/the-tree/ which gave again three hints:
“I will give you three hints, I can see the future so listen carefully” – The three-eyed raven Bran Stark”
“To enter in Dorne you must identify as oberynmartell. You still should find the password”
“3487 64535 12345 . Remember these numbers, you’ll need to use them with POLITE people you’ll know when to use them”
“The savages never crossed the wall. So you must look for them before crossing it”
I now have something that looks like a username for Dorne (oberynmartell) and also something that looks like port numbers for port knocking. Since I already have the Savages flag, the last hint can be ignored. However, I still need to find out the password for Dorne and where to access Dorne (I assume that it is one of those ports).
Luckily, this map tells me where to access every kingdom, especially that Dorne is on the
FTP port. I still need the password though. On
/direct-access-to-kings-landing/ I found another hint about the savages which I ignored since I already have the flag. On
raven.php though, I found another useful hint:
You received a raven with this message:
“To pass through the wall, mcrypt spell will help you. It doesn’t matter who you are, only the key is needed to open the secret door” – Anonymous
Since I had still no clue about the password to the
FTP server, I needed to do some other investigation. After some basic password attempts with names and some Game of Thrones knowledge I ran a scan with
... ---- Entering directory: http://192.168.56.101/h/i/d/d/e/n/ ---- + http://192.168.56.101/h/i/d/d/e/n/index.php (CODE:200|SIZE:732) ...
There is another hidden directory! The page source reveals again two hints:
“My little birds are everywhere. To enter in Dorne you must say: A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me” – Lord (The Spider) Varys
“Powerful docker spells were cast over all kingdoms. We must be careful! You can’t travel directly from one to another… usually. That’s what the Lord of Light has shown me” – The Red Woman Melisandre
Yes, I have found the password for Dorne (A_verySmallManCanCastAVeryLargeShad0w), so let’s log into the
FTP server and find the flag!
root@kali:~# ftp 192.168.56.101 Connected to 192.168.56.101. 220------------------------- 220-"These are the Dorne city walls. We must enter!" - Grey Worm 220- 220-"A fail2ban spell is protecting these walls. You'll never get in" - One of the Sand Snake Girls 220------------------------- 220 This is a private system - No anonymous login Name (192.168.56.101:root): oberynmartell 331 User oberynmartell OK. Password required Password: 230-OK. Current directory is / 230-Welcome to: 230- ____ 230-| \ ___ ___ ___ ___ 230-| | | . | _| | -_| 230-|____/|___|_| |_|_|___| 230- 230-Principality of Dorne was conquered. This is your first kingdom flag! 230 fb8d98be1265dd88bac522e1b2182140 Remote system type is UNIX. Using binary mode to transfer files. ftp>
And here is the first kingdom flag! Dorne: fb8d98be1265dd88bac522e1b2182140.
Flag 2: Winterfell
Unfortunately, I could not continue examining the server via the command line because of some weird error, so I tried to access over the browser.
The first file shows the following:
“There are problems in the north. We must travel quickly. Once there we must defend the wall” – Jon Snow
“What kind of magic is this?!? I never saw before this kind of papirus. Let’s check it carefully” – Maester Aemon Targaryen
and the second one is a file encrypted with
mcrypt. md5(md5($s).$p) reminds me of a hash-mode, so I tried to crack the hash with this mode using
hashcat. Unfortunately, this hash-mode is not supported anymore with the current version of
hashcat, but I found out, that it is still supported with the
hashcat-legacy. Using the legacy hashcat and the wordlist
rockyou.txt, the hash was cracked very quickly into
stark. Using this as the password for the encrypted file yield in
root@kali:~# mcrypt -d the_wall.txt.nc Enter passphrase: File the_wall.txt.nc was decrypted. root@kali:~# cat the_wall.txt "We defended the wall. Thanks for your help. Now you can go to recover Winterfell" - Jeor Mormont, Lord Commander of the Night's Watch "I'll write on your map this route to get faster to Winterfell. Someday I'll be a great maester" - Samwell Tarly http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------ Enter using this user/pass combination: User: jonsnow Pass: Ha1lt0th3k1ng1nth3n0rth!!!
So the next stop is, according to the map, The North and The Wall which is the
HTTP server. Trying to connect to
http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------ gives a Server not found error message. However, the second hint in this file brought me to the right direction. I had this also in another CTF, namely changing the
hosts file. Setting
winterfell.7kingdom.ctf to the IP-address and reconnecting opens a login form where I could login with the provided credentials. The resulting source code gives the next flag and another hint:
Welcome to Winterfell
You conquered the Kingdom of the North. This is your second kingdom flag!
“We must do something here before travelling to Iron Islands, my lady” – Podrick Payne
“Yeah, I can feel the magic on that shield. Swords are no more use here” – Brienne Tarth
So let me sum up what I have got so far. So far I have found three flags in total, two kingdom flags and one secret flag.
This finishes the first part of this writeup. The second part will follow soon and until then, HAPPY HACKING. (Find Part 2 here)