This post covers the second part of the Game of Thrones CTF 1 walkthrough. In the first part I have already found the first two kingdom flags and one secret flag:
Flag 3 – Iron Islands
The next stop are the Iron Islands. According to the map I have found in the first part, they can be found on the
DNS service. In order to achieve that, I used the two hints I have found in Winterfell:
“We must do something here before travelling to Iron Islands, my lady” – Podrick Payne
“Yeah, I can feel the magic on that shield. Swords are no more use here” – Brienne Tarth
On the webpage of Winterfell there was another image showing a shield, so I looked at this image a bit closer.
root@kali:~# strings shield.jpeg | tail ;uf'$ \(=@ rrM} ]oG| i7:> qws#K, drU3 f92jw.O )99< "Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress" - Theon Greyjoy
Another hint. I should ask for Timef0rconqu3rs and since we are talking about
DNS I should probably ask there after the TXT entry.
root@kali:~# nslookup -q=TXT Timef0rconqu3rs 192.168.56.101 Server: 192.168.56.101 Address: 192.168.56.101#53 ** server can't find Timef0rconqu3rs.home: SERVFAIL root@kali:~# nslookup -q=TXT Timef0rconqu3rs.7kingdoms.ctf 192.168.56.101 Server: 192.168.56.101 Address: 192.168.56.101#53 Timef0rconqu3rs.7kingdoms.ctf text = "You conquered Iron Islands kingdom flag: 5e93de3efa544e85dcd6311732d28f95. Now you should go to Stormlands at http://stormlands.7kingdoms.ctf:10000 . Enter using this user/pass combination: aryastark/N3ddl3_1s_a_g00d_sword#!"
Only asking after Timef0rconqu3rs did not work, but then I remembered that we had a base domain of 7kingdoms.ctf so I tried to ask for
Timef0rconqu3rs.7kingdoms.ctf. And yes, I have found the third kingdom flag: Iron Islands: 5e93de3efa544e85dcd6311732d28f95.
Flag 4 – Stormlands
Luckily, the next step is already given: Go to
http://stormlands.7kingdoms.ctf:10000 and log in with the credentials
aryastark/N3ddl3_1s_a_g00d_sword#!. In order to do that, I again had to change the
hosts file. Connecting to the webpage resulted in
I first tried to look for some files using the search function, but there was nothing, so I started trying to check for a SQL injection. And indeed, searching for ‘ resulted in a link for a File Manager. Unfortunately, this File Manager required Java which made me really crazy, because I activated it and I could see a file structure, but I could not browse through it. Eventually, I used Safari where it worked. I browsed to
/home/aryastark/ where I found
_____ _ _ _
| __| |_ ___ ___ _____| |___ ___ _| |___
|__ | _| . | _| | | . | | . |_ -|
|_____|_| |___|_| |_|_|_|_|__,|_|_|___|___|
Congratulations! you conquered Stormlands. This is your flag: 8fc42c6ddf9966db3b09e84365034357
Now prepare yourself for the next challenge!
The credentials to access to the Mountain and the Vale kingdom are:
pgAdmin magic will not work. Command line should be used on that kingdom – Talisa Maegyr
Flag.txt contains the next flag and some useful hints how to proceed.
Flag 5 – Mountain and the Vale
According to the map, the next stop is the mountain and the vale, which is the
postgresql server. Luckily I just got the credentials (robinarryn/cr0wn_f0r_a_King-_) and the database name (mountainandthevale). So let’s connect to it and see what’s there
root@kali:~# psql -h 192.168.56.101 -p 5432 -U robinarryn -d mountainandthevale Password for user robinarryn: psql (10.0, server 9.6.4) Type "help" for help. mountainandthevale=> \d List of relations Schema | Name | Type | Owner --------+----------------------------+----------+------------ public | aryas_kill_list | table | postgres public | aryas_kill_list_id_seq | sequence | postgres public | braavos_book | table | postgres public | eyrie | table | postgres public | eyrie_id_seq | sequence | postgres public | flag | view | robinarryn public | popular_wisdom_book | table | postgres public | popular_wisdom_book_id_seq | sequence | postgres (8 rows) mountainandthevale=> \d+ flag View "public.flag" Column | Type | Collation | Nullable | Default | Storage | Description ----------+---------+-----------+----------+---------+---------+------------- ?column? | unknown | | | | plain | View definition: SELECT 'TmljZSEgeW91IGNvbnF1ZXJlZCB0aGUgS2luZ2RvbSBvZiB0aGUgTW91bnRhaW4gYW5kIHRoZSBWYWxlLiBUaGlzIGlzIHlvdXIgZmxhZzogYmIzYWVjMGZkY2RiYzI5NzQ4OTBmODA1YzU4NWQ0MzIuIE5leHQgc3RvcCB0aGUgS2luZ2RvbSBvZiB0aGUgUmVhY2guIFlvdSBjYW4gaWRlbnRpZnkgeW91cnNlbGYgd2l0aCB0aGlzIHVzZXIvcGFzcyBjb21iaW5hdGlvbjogb2xlbm5hdHlyZWxsQDdraW5nZG9tcy5jdGYvSDFnaC5HYXJkM24ucG93YWggLCBidXQgZmlyc3QgeW91IG11c3QgYmUgYWJsZSB0byBvcGVuIHRoZSBnYXRlcw==';
And here is the next flag! However, it is
Base64 encoded. Decoding it gives
Nice! you conquered the Kingdom of the Mountain and the Vale. This is your flag: bb3aec0fdcdbc2974890f805c585d432. Next stop the Kingdom of the Reach. You can identify yourself with this user/pass combination: email@example.com/H1gh.Gard3n.powah , but first you must be able to open the gates
This was a good progress! With this I would like to finish the second part of this series. Next stop will be the Kingdom of the Reach, aka
imap. Until then, HAPPY HACKING. (Find Part 3 here)