This post covers the second part of the Game of Thrones CTF 1 walkthrough. In the first part I have already found the first two kingdom flags and one secret flag:

Kingdom Flags
Dorne: fb8d98be1265dd88bac522e1b2182140
Winterfell: 639bae9ac6b3e1a84cebb7b403297b79

Secret Flag
Savages: 8bf8854bebe108183caeb845c7676ae4

Flag 3 – Iron Islands

The next stop are the Iron Islands. According to the map I have found in the first part, they can be found on the DNS service. In order to achieve that, I used the two hints I have found in Winterfell:

“We must do something here before travelling to Iron Islands, my lady” – Podrick Payne

“Yeah, I can feel the magic on that shield. Swords are no more use here” – Brienne Tarth

On the webpage of Winterfell there was another image showing a shield, so I looked at this image a bit closer.

root@kali:~# strings shield.jpeg | tail
;uf'$
\(=@
rrM}
]oG|
i7:>
qws#K,
drU3
f92jw.O
)99<
"Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress" - Theon Greyjoy

Another hint. I should ask for Timef0rconqu3rs and since we are talking about DNS I should probably ask there after the TXT entry.

root@kali:~# nslookup -q=TXT Timef0rconqu3rs 192.168.56.101
Server:		192.168.56.101
Address:	192.168.56.101#53

** server can't find Timef0rconqu3rs.home: SERVFAIL

root@kali:~# nslookup -q=TXT Timef0rconqu3rs.7kingdoms.ctf 192.168.56.101
Server:		192.168.56.101
Address:	192.168.56.101#53

Timef0rconqu3rs.7kingdoms.ctf	text = "You conquered Iron Islands kingdom flag: 5e93de3efa544e85dcd6311732d28f95. Now you should go to Stormlands at http://stormlands.7kingdoms.ctf:10000 . Enter using this user/pass combination: aryastark/N3ddl3_1s_a_g00d_sword#!"

Only asking after Timef0rconqu3rs did not work, but then I remembered that we had a base domain of 7kingdoms.ctf so I tried to ask for Timef0rconqu3rs.7kingdoms.ctf. And yes, I have found the third kingdom flag: Iron Islands: 5e93de3efa544e85dcd6311732d28f95.

Flag 4 – Stormlands

Luckily, the next step is already given: Go to http://stormlands.7kingdoms.ctf:10000 and log in with the credentials aryastark/N3ddl3_1s_a_g00d_sword#!. In order to do that, I again had to change the hosts file. Connecting to the webpage resulted in

I first tried to look for some files using the search function, but there was nothing, so I started trying to check for a SQL injection. And indeed, searching for ‘ resulted in a link for a File Manager. Unfortunately, this File Manager required Java which made me really crazy, because I activated it and I could see a file structure, but I could not browse through it. Eventually, I used Safari where it worked. I browsed to /home/aryastark/ where I found flag.txt

Welcome to:
_____ _ _ _
| __| |_ ___ ___ _____| |___ ___ _| |___
|__ | _| . | _| | | . | | . |_ -|
|_____|_| |___|_| |_|_|_|_|__,|_|_|___|___|
Congratulations! you conquered Stormlands. This is your flag: 8fc42c6ddf9966db3b09e84365034357

Now prepare yourself for the next challenge!

The credentials to access to the Mountain and the Vale kingdom are:
user/pass: robinarryn/cr0wn_f0r_a_King-_
db: mountainandthevale

pgAdmin magic will not work. Command line should be used on that kingdom – Talisa Maegyr

Flag.txt contains the next flag and some useful hints how to proceed.

Flag 5 – Mountain and the Vale

According to the map, the next stop is the mountain and the vale, which is the postgresql server. Luckily I just got the credentials (robinarryn/cr0wn_f0r_a_King-_) and the database name (mountainandthevale). So let’s connect to it and see what’s there

root@kali:~# psql -h 192.168.56.101 -p 5432 -U robinarryn -d mountainandthevale
Password for user robinarryn: 
psql (10.0, server 9.6.4)
Type "help" for help.

mountainandthevale=> \d
                      List of relations
 Schema |            Name            |   Type   |   Owner    
--------+----------------------------+----------+------------
 public | aryas_kill_list            | table    | postgres
 public | aryas_kill_list_id_seq     | sequence | postgres
 public | braavos_book               | table    | postgres
 public | eyrie                      | table    | postgres
 public | eyrie_id_seq               | sequence | postgres
 public | flag                       | view     | robinarryn
 public | popular_wisdom_book        | table    | postgres
 public | popular_wisdom_book_id_seq | sequence | postgres
(8 rows)

mountainandthevale=> \d+ flag
                             View "public.flag"
  Column  |  Type   | Collation | Nullable | Default | Storage | Description 
----------+---------+-----------+----------+---------+---------+-------------
 ?column? | unknown |           |          |         | plain   | 
View definition:
 SELECT 'TmljZSEgeW91IGNvbnF1ZXJlZCB0aGUgS2luZ2RvbSBvZiB0aGUgTW91bnRhaW4gYW5kIHRoZSBWYWxlLiBUaGlzIGlzIHlvdXIgZmxhZzogYmIzYWVjMGZkY2RiYzI5NzQ4OTBmODA1YzU4NWQ0MzIuIE5leHQgc3RvcCB0aGUgS2luZ2RvbSBvZiB0aGUgUmVhY2guIFlvdSBjYW4gaWRlbnRpZnkgeW91cnNlbGYgd2l0aCB0aGlzIHVzZXIvcGFzcyBjb21iaW5hdGlvbjogb2xlbm5hdHlyZWxsQDdraW5nZG9tcy5jdGYvSDFnaC5HYXJkM24ucG93YWggLCBidXQgZmlyc3QgeW91IG11c3QgYmUgYWJsZSB0byBvcGVuIHRoZSBnYXRlcw==';

And here is the next flag! However, it is Base64 encoded. Decoding it gives

Nice! you conquered the Kingdom of the Mountain and the Vale. This is your flag: bb3aec0fdcdbc2974890f805c585d432. Next stop the Kingdom of the Reach. You can identify yourself with this user/pass combination: olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah , but first you must be able to open the gates

This was a good progress! With this I would like to finish the second part of this series. Next stop will be the Kingdom of the Reach, aka imap. Until then, HAPPY HACKING. (Find Part 3 here)