SkyDog CTF VM — Vulnhub.com

So as usual I started this walkthrough with a simple netdiscover scan to find the IP address.

Next I decided to try a new app that I read about called Sparta, Brian Johnson over on 7ms.us suggested it as it runs an in-depth nmap scan and also useful tools like Nikto automatically.

So I fired up Sparta and ran a test on the ip address (I HAVE TO SAY I REALLY LIKE THE APP IT PULLED NIKTO INFO AND A SCREEN SHOT FROM THE WEBPAGE)
I think I’ll be using this again for the next few VM’s I do.

So the ports came back as 
22 ssh
80 http

Lets check out the webpage and see what's on there. It turns out not a lot other than a single jpg image and also that's all that was on the source for the page as well. Let’s download it and run some info gathering on it.

exiftool /root/SkyDogCon_CTF.jpg

ExifTool Version Number : 10.23
File Name : SkyDogCon_CTF.jpg
Directory : /root/Desktop/VulnHub Boxes/SkyDog
File Size : 83 kB
File Modification Date/Time : 2016:08:14 13:31:43–04:00
File Access Date/Time : 2016:08:14 13:31:43–04:00
File Inode Change Date/Time : 2016:08:14 13:31:43–04:00
File Permissions : rw-r — r — 
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Exif Byte Order : Big-endian (Motorola, MM)
Software : Adobe ImageReady
XP Comment : flag{abc40a2d4e023b42bd1ff04891549ae2}

Haha that was easy for the first flag, and it looks like an md5 hash so I’ll head over to hashkiller.co.uk and see what it comes back as.

abc40a2d4e023b42bd1ff04891549ae2 = MD5 : Welcome[space]Home

So not sure if I’ll need that hash for later so lets put it in the working notes for now.

There was also a robots.txt found by Nikto so next I’ll take a look at that.

192.168.1.139/robots.txt

Bingo!!! there’s flag no.2

Congrats Mr. Bishop, your getting good — flag{cd4f10fcba234f0e8b2f60a490c306e6}

cd4f10fcba234f0e8b2f60a490c306e6 = MD5 : Bots

A quick dirb scan later and I’ve found these directories

root@kali:~# dirb http://192.168.1.139/

— — — — — — — — -
DIRB v2.22 
By The Dark Raver
 — — — — — — — — -
START_TIME: Sun Aug 14 14:01:05 2016
URL_BASE:
http://192.168.1.139/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
 — — — — — — — — -
GENERATED WORDS: 4612
 — — Scanning URL:
http://192.168.1.139/ — — 
+
http://192.168.1.139/index.html (CODE:200|SIZE:43) 
+
http://192.168.1.139/robots.txt (CODE:200|SIZE:6981) 
+
http://192.168.1.139/server-status (CODE:403|SIZE:293)

So the index.html is the landing page we’ve already found, the server-status page gives me an error that I cant connect from this server (I’ll make a note of this for later)

So lets check out the robots.txt file, there are quite a lot of entries in there. I’d like to clean it up a little to make it a little easier to read. Lets start with only showing me the allow directories, copy and paste it into leafpad then grep the Allow only lines.

root@kali:~# grep -e Allow: /root/skydogrobots.txt
Allow: /search/about
Allow: /catalogs/about
Allow: /catalogs/p?
Allow: /newsalerts
Allow: /news/directory
Allow: /?hl=
Allow: /?hl=*&gws_rd=ssl$
Allow: /?gws_rd=ssl$
Allow: /?pt1=true$
Allow: /mail/help/
Allow: /m/finance
Allow: /citations?view_op=new_profile
Allow: /citations?view_op=top_venues
Allow: /maps?*output=classic*
Allow: /maps/api/js?
Allow: /maps/d/
Allow: /places/$
Allow: /Setec/
Allow: /jsapi
Allow: /cbk?output=tile&cb_client=maps_sv
Allow: /profiles
Allow: /s2/profiles
Allow: /s2/oz
Allow: /s2/photos

Ok so straight away that's a lot more manageable, lets have a quick look at what we have left and see if anything obvious sticks out. 
The first thing I notice is that the /Setec/ folder is the only one that starts with a capital letter, as I’ve got to start somewhere it might as well be there, lets heads back over to firefox and check it out.

http://192.168.1.139/Setec/

Wow that actually worked first time, cool. Ok so I’m on a webpage with a jpg again.

I’ll save it run it through exiftool but lets check the source whilst I’m on the page.

<html>
<img src=”./Astronomy/Setec_Astronomy.jpg” width=”1024" height=”768" alt=”” />
<! — 
<script type=”text/javascript”>
var gaJsHost = ((“https:” == document.location.protocol) ? “
https://ssl." : “http://www.");
document.write(unescape(“%3Cscript src=’” + gaJsHost + “google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));
</script>
<script type=”text/javascript”>
try {
var pageTracker = _gat._getTracker_Approved(“NSA-Agent-Abbott”; AKA Darth Vader);
pageTracker._trackPageview();
} catch(err) {}</script>
 → 
</html>

Ok so there seems to be more going on here than just a simple jpg page, I’m not sure what the javascript is doing just now but I can fix that with a bit of googling.

A quick look at the exif data of the image doesnt show anything of interest really.

There is another link though to check out /Astronomy/Setec_Astronomy.jpg so lets do that now.

The link takes us to the location of the image itself, but the image is sitting in a folder called /Astonomy so we can just delete the jpg part and take a look.

Cool, so there’s the jpg and more importantly we have a .zip file too. Lets download it and see what it is. 
DAMN its encrypted of course it is. OK I can fcrackzip it using the rockyou dict.

fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt /root/Desktop/VulnHub\ Boxes/SkyDog/Whistler.zip
found file ‘flag.txt’, (size cp/uc 50/ 38, flags 9, chk 874a)
found file ‘QuesttoFindCosmo.txt’, (size cp/uc 72/ 61, flags 9, chk 83b5)

PASSWORD FOUND!!!!: pw == yourmother

That was fast, cool so now I can unzip the file.

Nice flag 3 found flag{1871a3c1da602bf471d3d76cc60cdb9b} and the hash decrypts as yourmother (THAT WOULD HAVE BEEN REALLY HELPFUL TO KNOW ABOUT 10 MINS AGO HAHA)

There is also a file called QuesttoFindCosmo.txt that has the clue Time to break out those binoculars and start doing some OSINT

So at this point I’m going to take a break and have a coffee. 
I don’t immediately know what OSINT is so I’m going to have to do a little research before I can carry on.

So that coffee break turned into a 3 day break due to work and life. But I’m back now and ready to carry on.

Ok lets fire up google and find out what OSINT is all about.
Open-source intelligence (OSINT) is intelligence collected from publicly available sources. So I guess I need to use Netcraft or other online search apps the only real piece of info I have to go on at the moment is the string from the source “NSA-Agent-Abbott”; AKA Darth Vader” about an hour or so worth of googling and recording all the info I could find on the actor James Earl Jones and the film sneakers (that film on IMDB has references to whistler and cosmo all of which we come across in the VM up to this point.

So using the list of words I’ve collected I’m going to run it and the site through gobuster and see if we can find anymore directories.

root@kali:~# gobuster -w /root/Desktop/sneakers.txt -u http://192.168.211.139
Gobuster v1.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain :
http://192.168.1.139/
[+] Threads : 10
[+] Wordlist : /root/Desktop/sneakers.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/PlayTronics (Status: 301)
=====================================================

Cool lets check out the new directory that we’ve just found. It takes us to a directory page with the following files on it.

First I’ll check out the flag text 
flag{c07908a705c22922e6d416e0e1107d99}
which decrypts as : leroybrown

And then the company traffic pcap file, let’s download it and see what it has in it.

It wants to open in wireshark so let’s do that first and then if that doesn't work we’ll run it through air-crack and see if we can use to brute force a password from it.

So opening it in wireshark just presents LOADS of traffic data that isn't really that easy to decypher. I’m going to give up on that vector for now and see if we have any luck getting a password out of it. 
NOPE air-crack just reports that the file isn't a standard file and so cant open it.

Back to google and I came across a article which was about an app called Net-Creds so I decided to run the pcap file through it and got this as the only reply

root@kali:~/Desktop/net-creds-master# ./net-creds.py -p /root/Desktop/companytrafficcap
[192.168.2.223] GET cf-media.sndcdn.com/8Q3zbtBpxOHb.128.mp3?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiKjovL2NmLW1…

It’s pulled from the pcap file and seems to reference an mp3 file. Lets follow the path and download the mp3 file.

The MP3 is a really bad recording of a line from the film Sneakers “Hi. My Name Is Werner Brandes. My Voice Is My Passport. Verify Me.” So using that, we can try the ssh username as wernerbrandes and we’ve got 4 flags so far so lets just try each one as the password.

root@kali:~# ssh -l wernerbrandes 192.168.1.139 
wernerbrandes@192.168.1.139's password: Welcome Home
Permission denied, please try again.
wernerbrandes@192.168.1.139's password: Bots
Permission denied, please try again.
wernerbrandes@192.168.1.139's password: yourmother
Permission denied (publickey,password).
root@kali:~# ssh -l wernerbrandes 192.168.1.139 
wernerbrandes@192.168.1.139's password: leroybrown

Bingo that worked!! The password was leroybrown

Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0–25-generic x86_64)

* Documentation: https://help.ubuntu.com/

System information as of Sun Aug 14 12:57:27 EDT 2016

System load: 0.08 Memory usage: 3% Processes: 164
 Usage of /: 7.3% of 17.34GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at:
 
https://landscape.canonical.com/

30 packages can be updated.
21 updates are security updates.

Last login: Fri Oct 30 19:08:28 2015 from 10.0.2.5
wernerbrandes@skydogctf:~$

Let’s have a look around the box and see what we can find

wernerbrandes@skydogctf:~$ ls
flag.txt
wernerbrandes@skydogctf:~$ cat flag.txt
flag{82ce8d8f5745ff6849fa7af1473c9b35}

Awesome thats the final flag found!! It decrypts as : Dr.[space]Gunter[space]Janek

I’ve kinda ran out of time with this VM. Life has fully gotten in the way. I’ve got to prepare for a job interview and presentation. I know I haven't fully finished it and didnt get root on it. But I’m ok with that on this one. :-) I might try and come back to it and finish it off in the future.

Huge thanks to James Bower for creating the VM and for Vulnhub.com for hosting it. Great work guys.