Press "Enter" to skip to content

Game of Thrones CTF 1 Walkthrough – Part 1

This post covers the first part of the Game of Thrones CTF 1 provided by Vulnhub. The CTF contains 11 flags in total (7 kingdom flags, 3 secret flags and one battle flag). The flags will be a md5 hash.

Please notice that this walkthrough might contain SPOILER to the actual series and as usual, if you have not solved this challenge yet, then try it first on your own!

Prephase

Hostdiscovery

I always start with discovering the host. For this I usually use the netdiscover tool.

root@kali:~# netdiscover -r 192.168.56.0/24 -i eth1

Currently scanning: Finished! | Screen View: Unique Hosts

3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP             At MAC Address   Count  Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1   **:**:**:**:**:**   1    60 Unknown vendor
192.168.56.100 **:**:**:**:**:**   1    60 PCS Systemtechnik GmbH
192.168.56.101 **:**:**:**:**:**   1    60 PCS Systemtechnik GmbH

Since I know my system, 192.168.56.101 is the target machine.

Portscanning

Next I need to find out what open ports there are, so I use a very basic nmap-scan to figure this out.

root@kali:~# nmap 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-27 10:34 CEST
Nmap scan report for stormlands.7kingdoms.ctf (192.168.56.101)
Host is up (0.00078s latency).
Not shown: 992 closed ports
PORT       STATE     SERVICE
21/tcp     open      ftp
22/tcp     open      ssh
53/tcp     open      domain
80/tcp     open      http
143/tcp    filtered  imap
3306/tcp   filtered  mysql
5432/tcp   open      postgresql
10000/tcp  open      snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 42.71 seconds

There are quiet many open ports. I usually start with the http service (if there is any).

Flag 1 – Dorne

The main webpage only shows a Game of Thrones background and plays the typical title song. Having a look at the source code however, reveals useful hints

The two main hints in this source are:

“Everything can be TAGGED in this world, even the magic or the music” – Bronn of the Blackwater
“To enter in Dorne you’ll need to be a kind face” – Ellaria Sand

The first hint made me aware of the two different audio files that are loaded. So I downloaded both of then and listened to them. They simply played the title song. However, the keyword TAGGED made me suspicious and I examined the files a bit more.

root@kali:~#exiftool game_of_thrones.mp3
...
Comment:        Savages secret flag: 8bf8854bebe108183caeb845c7676ae4
...

So this is not the flag of Dorne, but the first of three secret flags. I have also examined the other file, but there was nothing special about, so I started examining the static (css and js) files. They contained three more hints:

“Music reaches where words can’t. It’s known even for the animals” – Catelyn Stark
“You’ll never enter into King’s Landing through the main gates. The queen ordered to close them permanently until the end of the war” – Tywin Lannister
“If you put a city under siege, after five attacks you’ll be banned two minutes” – Aegon the Conqueror and His Conquest of Westeros Book

However, they only refer to the banning when one tries to bruteforce passwords. Since this has been all I found in the source code, I decided to run some scans on the host. Luckily, uniscan gave some useful information.

root@kali:~# uniscan -u 192.168.56.101 -qweds
...
===================================================================================================
|
| Check robots.txt:
| [+] User-agent: Three-eyed-raven
| [+] Allow: /the-tree/
| [+] User-agent: *
| [+] Disallow: /secret-island/
| [+] Disallow: /direct-access-to-kings-landing/
|
| Check sitemap.xml:
| [+] http://192.168.56.101/index.php
| [+] http://192.168.56.101/raven.php
===================================================================================================
...

There are some new folders which we can examine, so let’s visit them. /the-tree/ shows an image of Jon Snow when he was stabbed. Having a look at the source-code revealed another hint:

“You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven” – Written on the tree by somebody

It is very suspicious that there are some capital characters. Reading only those says “USERAGENT”. This and the result of uniscan brought me to change the User-Agent to “Three-eyed-raven”. Using BurpSuite to change the User-Agent revealed another site under /the-tree/ which gave again three hints:

“I will give you three hints, I can see the future so listen carefully” – The three-eyed raven Bran Stark”
“To enter in Dorne you must identify as oberynmartell. You still should find the password”
“3487 64535 12345 . Remember these numbers, you’ll need to use them with POLITE people you’ll know when to use them”
“The savages never crossed the wall. So you must look for them before crossing it”

I now have something that looks like a username for Dorne (oberynmartell) and also something that looks like port numbers for port knocking. Since I already have the Savages flag, the last hint can be ignored. However, I still need to find out the password for Dorne and where to access Dorne (I assume that it is one of those ports).

On /secret-island/ I found the map that was mentioned before:

Luckily, this map tells me where to access every kingdom, especially that Dorne is on the FTP port. I still need the password though. On /direct-access-to-kings-landing/ I found another hint about the savages which I ignored since I already have the flag. On raven.php though, I found another useful hint:

You received a raven with this message:
“To pass through the wall, mcrypt spell will help you. It doesn’t matter who you are, only the key is needed to open the secret door” – Anonymous

Since I had still no clue about the password to the FTP server, I needed to do some other investigation. After some basic password attempts with names and some Game of Thrones knowledge I ran a scan with dirb:

...
---- Entering directory: http://192.168.56.101/h/i/d/d/e/n/ ----
+ http://192.168.56.101/h/i/d/d/e/n/index.php (CODE:200|SIZE:732)
...

There is another hidden directory! The page source reveals again two hints:

“My little birds are everywhere. To enter in Dorne you must say: A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me” – Lord (The Spider) Varys
“Powerful docker spells were cast over all kingdoms. We must be careful! You can’t travel directly from one to another… usually. That’s what the Lord of Light has shown me” – The Red Woman Melisandre

Yes, I have found the password for Dorne (A_verySmallManCanCastAVeryLargeShad0w), so let’s log into the FTP server and find the flag!

root@kali:~# ftp 192.168.56.101
Connected to 192.168.56.101.
220-------------------------
220-"These are the Dorne city walls. We must enter!" - Grey Worm
220-
220-"A fail2ban spell is protecting these walls. You'll never get in" - One of the Sand Snake Girls
220-------------------------
220 This is a private system - No anonymous login
Name (192.168.56.101:root): oberynmartell
331 User oberynmartell OK. Password required
Password:
230-OK. Current directory is /
230-Welcome to:
230- ____                  
230-|    \ ___ ___ ___ ___ 
230-|  |  | . |  _|   | -_|
230-|____/|___|_| |_|_|___|
230-
230-Principality of Dorne was conquered. This is your first kingdom flag!
230 fb8d98be1265dd88bac522e1b2182140
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

And here is the first kingdom flag! Dorne: fb8d98be1265dd88bac522e1b2182140.

Flag 2: Winterfell

Unfortunately, I could not continue examining the server via the command line because of some weird error, so I tried to access over the browser.

The first file shows the following:


“There are problems in the north. We must travel quickly. Once there we must defend the wall” – Jon Snow

“What kind of magic is this?!? I never saw before this kind of papirus. Let’s check it carefully” – Maester Aemon Targaryen

md5(md5($s).$p)

nobody:6000e084bf18c302eae4559d48cb520c$2hY68a

and the second one is a file encrypted with mcrypt. md5(md5($s).$p) reminds me of a hash-mode, so I tried to crack the hash with this mode using hashcat. Unfortunately, this hash-mode is not supported anymore with the current version of hashcat, but I found out, that it is still supported with the hashcat-legacy. Using the legacy hashcat and the wordlist rockyou.txt, the hash was cracked very quickly into stark. Using this as the password for the encrypted file yield in

root@kali:~# mcrypt -d the_wall.txt.nc 
Enter passphrase: 
File the_wall.txt.nc was decrypted.
root@kali:~# cat the_wall.txt
"We defended the wall. Thanks for your help. Now you can go to recover Winterfell" - Jeor Mormont, Lord Commander of the Night's Watch

"I'll write on your map this route to get faster to Winterfell. Someday I'll be a great maester" - Samwell Tarly

http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------
Enter using this user/pass combination:
User: jonsnow
Pass: Ha1lt0th3k1ng1nth3n0rth!!!

So the next stop is, according to the map, The North and The Wall which is the HTTP server. Trying to connect to http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------ gives a Server not found error message. However, the second hint in this file brought me to the right direction. I had this also in another CTF, namely changing the hosts file. Setting winterfell.7kingdom.ctf to the IP-address and reconnecting opens a login form where I could login with the provided credentials. The resulting source code gives the next flag and another hint:


Welcome to Winterfell
You conquered the Kingdom of the North. This is your second kingdom flag!
639bae9ac6b3e1a84cebb7b403297b79

“We must do something here before travelling to Iron Islands, my lady” – Podrick Payne

“Yeah, I can feel the magic on that shield. Swords are no more use here” – Brienne Tarth

So let me sum up what I have got so far. So far I have found three flags in total, two kingdom flags and one secret flag.

Kingdom Flags
Dorne: fb8d98be1265dd88bac522e1b2182140
Winterfell: 639bae9ac6b3e1a84cebb7b403297b79

Secret Flag
Savages: 8bf8854bebe108183caeb845c7676ae4

This finishes the first part of this writeup. The second part will follow soon and until then, HAPPY HACKING. (Find Part 2 here)

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *