Hello friends, I am CodeNinja a.k.a Aakash Choudhary. I am learning pentesting by solving vulnhub machines but sometime myself and manytimes by reading other walkthroughs
So,today i did SKYDOG CTF 2016 vulnhub machine but i did just 70% myself and rest with the help of solution but the real motive is to learn and yes i learned a lot today. Thanks to others who post solution and thus i learned a lot
You can download this vulnhub machine from -> SkyDog: 2016 - Catch Me If You Can
Ok so here is my writeup --->
ATTACKING IP : 192.168.56.130
VICTIM IP : 192.168.56.129
First here is my keepnote screenshot
==========================================================
Ok, So i DIVIDE this section into this ->
Ok
Next step is to get MAC ADDRESS
Now NMAP to get more information
NMAP
Result ->
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
| Not valid before: 2016-09-21T14:51:57
|_Not valid after: 2017-09-21T14:51:57
|_ssl-date: TLS randomness does not represent time
22222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
| 256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
|_ 256 0e:1b:3f:c3:4a:56:a0:ef:4d:2a:af:a1:7e:94:d2:06 (EdDSA)
MAC Address: 00:0C:29:87:D2:88 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 -- 192.168.56.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.94 seconds
So PORT -> 80,443,22222 open which is HTTP,HTTPS & SSH respectively
Ok lets figure out source-codes,comments,robots.txt,and grab directories and this is usually basic steps to do while pentesting as ENUMERATION ENUMERATION and ENUMERATION is the essential for every pentester to get more information about TARGET
First Source-code:
Then i check http://192.168.56.129/oldIE/html5.js
After decode using HEX from hackbar
So we got our First FLAG :D
Now before jump to FLAG 2 lets use nikto,dirb,dirbuster
NIKTO:
---------------------------------------------------------------------------
+ Target IP: 192.168.56.129
+ Target Hostname: 192.168.56.129
+ Target Port: 80
+ Start Time: 2017-08-18 14:23:18 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x47b5 0x53e97541b87ac
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ 7536 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2017-08-18 14:23:44 (GMT5.5) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nothing important there
DIRB:
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.56.129/ ----
+ http://192.168.56.129/404 (CODE:200|SIZE:18360)
==> DIRECTORY: http://192.168.56.129/assets/
+ http://192.168.56.129/favicon (CODE:200|SIZE:1150)
+ http://192.168.56.129/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.56.129/index (CODE:200|SIZE:18357)
+ http://192.168.56.129/personnel (CODE:403|SIZE:131)
+ http://192.168.56.129/rules (CODE:200|SIZE:31156)
+ http://192.168.56.129/server-status (CODE:403|SIZE:302)
---- Entering directory: http://192.168.56.129/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Aug 18 14:31:33 2017
DOWNLOADED: 20458 - FOUND: 7
Got directories
DIRBUSTER:
I already did the nmap before and we already got 3 ports http,https,ssh
So what does that 2nd flag mean now ? is it pointed to SSH ?
Lets connect to SSH
The authenticity of host '[192.168.56.129]:22222 ([192.168.56.129]:22222)' can't be established.
ECDSA key fingerprint is SHA256:DeCMZ74o5wesBHFLyaVY7UTCA7mW+bx6WroHm6AgMqU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.56.129]:22222' (ECDSA) to the list of known hosts.
###############################################################
# WARNING #
# FBI - Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions Will be monitored and recorded #
# Flag{53c82eba31f6d416f331de9162ebe997} #
###############################################################
root@192.168.56.129's password:
Ok so we got our 2nd flag
Flag{53c82eba31f6d416f331de9162ebe997}
after encode ---> encrypt
So its saying about Intercept Traffic and from 2nd flag we got clue "encrypt"
So all this telling us about SSL
Now there is many ways to see Security Certificate
One: Using wireshark
Two: Using htps
Three: Using sslyze,sslscan etc like commands
I preferred Option TWO HTTPS
so when i use ->
So we got out 3rd FLAG -->
which after encode -> personnel
“ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation.”
FBI Workstation and ACCESS DENIED hmm OK
Lets see what instruction giving us in Flag 4 ? USER-AGENT
Does that mean we have to change user agent ? YES but which user agent ? I tried some random user-agent using user-agent switcher but failed everytime
Those who don't know about USER-AGENT
"USER-AGENT identifies your browser and provides certain system details to servers hosting the websites you visit. "
"The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent"
Ok now i stuck here a lot and having no clue to which User-Agent to use ?
I now took helped from other writeups and then got the hint of JS FILE remember got from comments in very first section ?
I then use dirtymarkup website so that i read JS File clearly. Other option is this website jsbeautify
Just google it
So using dirtymarkup i read JS File and check comments /*
I got this
Two things i noted in my keepnote now ->
1. IE4 FBI Workstation
2. doug.peterson@fbi.gov
Now i got to know about User-Agent -> IE4 will be use
Then i use BURPSUITE to change User-Agent
In screenshot i forget to check Regex Match so my result was not come as hope
So not forget to check Regex Match
Then i intercept the request response and got access to 192.168.56.129/personnel
Which is FBI Portal Page
That FBI Portal welcome us as " Welcome Agent Hanratty"
I noted this in my keepnote
At the bottom of the portal we find our fourth flag{14e10d570047667f904261e6d08f520f}
and a new clue “Clue = new+flag”.
after decode -> “evidence”
So, we got our 4th flag :D
Remember clue ? which is new + flag
That means -> new+evidence -> newevidence
I thought that is directory
This show 404 Not Found Error
Then
Working fine But when i visit website then "Authentication Required" pop out
So we have to bypass this authentication or can say we need username and password
Remember agent hanratty welcome us ?
I googled this
I checked this result ->
www.historyvshollywood.com/reelfaces/catchmeifyoucan.php
The real Carl Hanratty is a composite of a number of FBI agents who worked to catch Abagnale, most notably FBI Agent Joseph ...................
so i got name as "carl hanratty"
No most important is how to use it and what is the password ?
For username i recall my note -> doug.peterson@fbi.gov
got it now our 6th Flag
Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”
Ok so now from 6th flag we got decoded txt "ILoveFrance" and clue " iheartbrenda"
Where will be it use ?
Well leave it now and focus on 7th Flag Instructions
Hey "I’m The Fastest Man Alive!" i heard it lots of time while watching Flash TV SERIES
so its Barry Allen
so where it use ? and whats connection with iheartbrenda got it i know about brenda too
so lets use it in ssh as try
I got this ->
###############################################################
# WARNING #
# FBI - Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions Will be monitored and recorded #
# Flag{53c82eba31f6d416f331de9162ebe997} #
###############################################################
barryallen@192.168.56.129's password:
Permission denied, please try again.
barryallen@192.168.56.129's password: iheartbrenda
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
14 packages can be updated.
7 updates are security updates.
barryallen@skydogconctf2016:~$
Now Its more Enumeration time to dig more info about system and flag ofcourse
FIRST ->
flag{bd2f6a1d5242c962a05619c56fa47ba6}
after decode this -> theflash
So we got our 7th FLAG
You notice about security-system.data file ?
Lets examine this
This is zip file and using
Then
Then
I see data file again
Hmm ok Leave it now and focus on 8th FLAG
Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”
Find the code to unlock the Door hmm interesting . May be its mean code is somewhere ? or may be in that file which unzipped before
Lets examine more
Its time to use stegnography tool exiftool and binwalk but with both tool not got result
Now this time i stuck again and checked Solution
I got to know about FORENSIC Tool ---> VOLATILITY
Before using this tool i used " man volatility " command to know about this
Ok now using information from man command lets use this tool
But before using this tool i first download that file to my machine. How ? Lets see this command
Ok now use volatility command
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x867c6830 System 4 0 57 171 ------ 0
0x86262900 smss.exe 332 4 3 19 ------ 0 2016-10-10 21:59:14 UTC+0000
0x8623b978 csrss.exe 560 332 10 423 0 0 2016-10-10 21:59:14 UTC+0000
0x865ed020 winlogon.exe 588 332 24 512 0 0 2016-10-10 21:59:14 UTC+0000
0x8662d808 services.exe 664 588 15 263 0 0 2016-10-10 21:59:14 UTC+0000
0x866a5670 lsass.exe 676 588 25 356 0 0 2016-10-10 21:59:14 UTC+0000
0x86358a70 vmacthlp.exe 848 664 1 25 0 0 2016-10-10 21:59:14 UTC+0000
0x86651da0 svchost.exe 860 664 21 202 0 0 2016-10-10 21:59:14 UTC+0000
0x865c2790 svchost.exe 944 664 11 258 0 0 2016-10-10 21:59:14 UTC+0000
0x86554020 svchost.exe 1040 664 82 1287 0 0 2016-10-10 21:59:14 UTC+0000
0x866196b8 svchost.exe 1092 664 5 59 0 0 2016-10-10 21:59:14 UTC+0000
0x8643ca18 svchost.exe 1144 664 17 213 0 0 2016-10-10 21:59:15 UTC+0000
0x866fca88 explorer.exe 1540 1520 14 417 0 0 2016-10-10 21:59:16 UTC+0000
0x8656b4d0 spoolsv.exe 1636 664 15 125 0 0 2016-10-10 21:59:16 UTC+0000
0x86338640 VGAuthService.e 1900 664 2 60 0 0 2016-10-10 21:59:25 UTC+0000
0x8667bda0 vmtoolsd.exe 2012 664 9 271 0 0 2016-10-10 21:59:28 UTC+0000
0x864f6440 wmiprvse.exe 488 860 14 251 0 0 2016-10-10 21:59:28 UTC+0000
0x864fbad0 wscntfy.exe 536 1040 1 31 0 0 2016-10-10 21:59:28 UTC+0000
0x85e5dd48 alg.exe 624 664 8 110 0 0 2016-10-10 21:59:28 UTC+0000
0x866f98b0 vmtoolsd.exe 1352 1540 7 242 0 0 2016-10-10 21:59:29 UTC+0000
0x86674410 ctfmon.exe 1356 1540 1 79 0 0 2016-10-10 21:59:29 UTC+0000
0x865bea48 CCleaner.exe 1388 1540 5 108 0 0 2016-10-10 21:59:29 UTC+0000
0x865c3d78 cmd.exe 1336 1540 1 30 0 0 2016-10-10 22:00:05 UTC+0000
0x8634fbb8 wuauclt.exe 1884 1040 9 198 0 0 2016-10-10 22:00:13 UTC+0000
0x86260a78 wuauclt.exe 1024 1040 6 172 0 0 2016-10-10 22:00:29 UTC+0000
0x8667b488 notepad.exe 268 1540 1 55 0 0 2016-10-10 22:00:41 UTC+0000
0x8640cc10 cmd.exe 1276 2012 0 -------- 0 0 2016-10-10 22:00:49 UTC+0000 2016-10-10 22:00:50 UTC+0000
Lets see in more about notepad.exe
Now lets see data of notepad.exe
Wow got something now
66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d
this become -->
Finally We got our 8th Flag
So i learned a lot by solving this machine and by reading other's solution
Hope readers also learned from this walkthrough
Thanks to @jamesbower to make such awesome machine and vulnhub to hosting such machines for us and those who make solution for such machines so that we all learned
Thanks again 💗
So,today i did SKYDOG CTF 2016 vulnhub machine but i did just 70% myself and rest with the help of solution but the real motive is to learn and yes i learned a lot today. Thanks to others who post solution and thus i learned a lot
You can download this vulnhub machine from -> SkyDog: 2016 - Catch Me If You Can
Ok so here is my writeup --->
ATTACKING IP : 192.168.56.130
VICTIM IP : 192.168.56.129
First here is my keepnote screenshot
==========================================================
Ok, So i DIVIDE this section into this ->
- Flag 1
- Flag 2
- Flag 3
- Flag 4
- Flag 5
- Flag 6
- Flag 7
- Flag 8
===========================================================
First let see about FLAGS Instructions -->
Flags
The eight flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533}
The eight flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533}
- Flag #1 Don’t go Home Frank! There’s a Hex on Your House.
- Flag #2 Obscurity or Security?
- Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.
- Flag #4 A Good Agent is Hard to Find.
- Flag #5 The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices
- Flag #6 Where in the World is Frank?
- Flag #7 Frank Was Caught on Camera Cashing Checks and Yelling - I’m The Fastest Man Alive!
- Flag #8 Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!
===============================================================
1. FLAG 1 :->
- Flag #1 Don’t go Home Frank! There’s a Hex on Your House.
First i always use netdiscover and arp -a command
ABOUT ->
- NetDiscover is a very neat tool for finding hosts on either wireless or switched networks. It can be used both in active or in passive mode.
- Using the arp command allows you to display and modify the Address Resolution Protocol (ARP) cache. An ARP cache is a simple mapping of IP addresses to MAC addresses.
i use arp -a command to get mac address which will be helpful in masscaning
NETDISCOVER ->
i got IP -> 192.168.56.129
netdiscover -r 192.168.56.0/24
Ok
Next step is to get MAC ADDRESS
arp -a
got this ->
MASSCAN
Result ->
mac -> 00:0c:29:87:d2:88 --> 00-0c-29-87-d2-88 [using arp -a]
MASSCAN
masscan -p0-65535 --interface eth0 --wait 30 --rate 10000 --router-mac 00-0c-29-87-d2-88 192.168.56.129
Result ->
Discovered open port 80/tcp on 192.168.56.129
Discovered open port 22222/tcp on 192.168.56.129
Discovered open port 443/tcp on 192.168.56.129
Now NMAP to get more information
NMAP
nmap -p80,443,22222 192.168.56.129 -A
Result ->
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
| Not valid before: 2016-09-21T14:51:57
|_Not valid after: 2017-09-21T14:51:57
|_ssl-date: TLS randomness does not represent time
22222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
| 256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
|_ 256 0e:1b:3f:c3:4a:56:a0:ef:4d:2a:af:a1:7e:94:d2:06 (EdDSA)
MAC Address: 00:0C:29:87:D2:88 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 -- 192.168.56.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.94 seconds
So PORT -> 80,443,22222 open which is HTTP,HTTPS & SSH respectively
Ok i noted down in my keepnote.
As HTTP Open so first start to browse website
When i open i saw this
As HTTP Open so first start to browse website
When i open i saw this
Ok lets figure out source-codes,comments,robots.txt,and grab directories and this is usually basic steps to do while pentesting as ENUMERATION ENUMERATION and ENUMERATION is the essential for every pentester to get more information about TARGET
First Source-code:
<!--[If IE4]><script src="/oldIE/html5.js"></script><![Make sure to remove this before going to PROD]-->
view-source:http://192.168.56.129/
Then i check http://192.168.56.129/oldIE/html5.js
/* 666c61677b37633031333230373061306566373164353432363633653964633166356465657d */
After decode using HEX from hackbar
After decode from hashkiller website ---> nmap
flag{7c0132070a0ef71d542663e9dc1f5dee}
So we got our First FLAG :D
Now before jump to FLAG 2 lets use nikto,dirb,dirbuster
NIKTO:
nikto -h 192.168.56.129
---------------------------------------------------------------------------
+ Target IP: 192.168.56.129
+ Target Hostname: 192.168.56.129
+ Target Port: 80
+ Start Time: 2017-08-18 14:23:18 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x47b5 0x53e97541b87ac
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ 7536 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2017-08-18 14:23:44 (GMT5.5) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nothing important there
DIRB:
dirb http://192.168.56.129 /usr/share/wordlists/dirb/big.txt
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.56.129/ ----
+ http://192.168.56.129/404 (CODE:200|SIZE:18360)
==> DIRECTORY: http://192.168.56.129/assets/
+ http://192.168.56.129/favicon (CODE:200|SIZE:1150)
+ http://192.168.56.129/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.56.129/index (CODE:200|SIZE:18357)
+ http://192.168.56.129/personnel (CODE:403|SIZE:131)
+ http://192.168.56.129/rules (CODE:200|SIZE:31156)
+ http://192.168.56.129/server-status (CODE:403|SIZE:302)
---- Entering directory: http://192.168.56.129/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Aug 18 14:31:33 2017
DOWNLOADED: 20458 - FOUND: 7
Got directories
DIRBUSTER:
2. Flag #2 Obscurity or Security?
I already did the nmap before and we already got 3 ports http,https,sshSo what does that 2nd flag mean now ? is it pointed to SSH ?
Lets connect to SSH
ssh 192.168.56.129 -p 22222
The authenticity of host '[192.168.56.129]:22222 ([192.168.56.129]:22222)' can't be established.
ECDSA key fingerprint is SHA256:DeCMZ74o5wesBHFLyaVY7UTCA7mW+bx6WroHm6AgMqU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.56.129]:22222' (ECDSA) to the list of known hosts.
###############################################################
# WARNING #
# FBI - Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions Will be monitored and recorded #
# Flag{53c82eba31f6d416f331de9162ebe997} #
###############################################################
root@192.168.56.129's password:
Ok so we got our 2nd flag
Flag{53c82eba31f6d416f331de9162ebe997}
after encode ---> encrypt
3. Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.
So its saying about Intercept Traffic and from 2nd flag we got clue "encrypt"
So all this telling us about SSL
Now there is many ways to see Security Certificate
One: Using wireshark
Two: Using htps
Three: Using sslyze,sslscan etc like commands
I preferred Option TWO HTTPS
so when i use ->
i check security certificate and i got this
http://192.168.56.129
So we got out 3rd FLAG -->
flag3{f82366a9ddc064585d54e3f78bde3221}
which after encode -> personnel
Flag #4 A Good Agent is Hard to Find
When i open "personnel" directory i got
192.168.56.129/personnel
“ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation.”
FBI Workstation and ACCESS DENIED hmm OK
Lets see what instruction giving us in Flag 4 ? USER-AGENT
Does that mean we have to change user agent ? YES but which user agent ? I tried some random user-agent using user-agent switcher but failed everytime
Those who don't know about USER-AGENT
"USER-AGENT identifies your browser and provides certain system details to servers hosting the websites you visit. "
"The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent"
Ok now i stuck here a lot and having no clue to which User-Agent to use ?
I now took helped from other writeups and then got the hint of JS FILE remember got from comments in very first section ?
I then use dirtymarkup website so that i read JS File clearly. Other option is this website jsbeautify
Just google it
So using dirtymarkup i read JS File and check comments /*
I got this
/* maindev - 6/7/02 Adding temporary support for IE4 FBI Workstations */
/* newmaindev - 5/22/16 Last maindev was and idoit and IE4 is still Gold image -@Support doug.perterson@fbi.gov */
Two things i noted in my keepnote now ->
1. IE4 FBI Workstation
2. doug.peterson@fbi.gov
Now i got to know about User-Agent -> IE4 will be use
Then i use BURPSUITE to change User-Agent
In screenshot i forget to check Regex Match so my result was not come as hope
So not forget to check Regex Match
Then i intercept the request response and got access to 192.168.56.129/personnel
Which is FBI Portal Page
That FBI Portal welcome us as " Welcome Agent Hanratty"
I noted this in my keepnote
At the bottom of the portal we find our fourth flag{14e10d570047667f904261e6d08f520f}
and a new clue “Clue = new+flag”.
flag{14e10d570047667f904261e6d08f520f}
after decode -> “evidence”
So, we got our 4th flag :D
Flag #5 The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices
That instruction telling us about Guessable,personal mean we have to find out Username and Password
That means -> new+evidence -> newevidence
I thought that is directory
192.168.56.129/personnel/newevidence
This show 404 Not Found Error
Then
192.168.56.129/newevidence
Working fine But when i visit website then "Authentication Required" pop out
So we have to bypass this authentication or can say we need username and password
Remember agent hanratty welcome us ?
I googled this
https://www.google.co.in/search?q=agent+hanratty&sourceid=chrome&ie=UTF-8
I checked this result ->
www.historyvshollywood.com/reelfaces/catchmeifyoucan.php
The real Carl Hanratty is a composite of a number of FBI agents who worked to catch Abagnale, most notably FBI Agent Joseph ...................
so i got name as "carl hanratty"
No most important is how to use it and what is the password ?
For username i recall my note -> doug.peterson@fbi.gov
so username be like this format ---> carl.hanratty
Ok i saved this as user.txt file
Now what about password ?
First i will show you my way "Burpsuite Brute Forcing" which i failed but then for this i saw other solutions and got very good result and ofcourse i learned it :D
First BURPSUITE
The difference between above last two images is in URL-encode ===> in first image there you will see " = " equal character and in second image you will see there is not equal sign
Ok now lets start attack but we got Result Nothing
Just 401 status and i was looking 301 Status
Ok mighe be i used less wordlists
Never mind
Now i see other solution for this purpose and found these
First I learned to use PATATOR which is command line tool to bruteforce such purposes.Google about this to know more
user.txt -> carl.hanratty
Now i got the result ->
Awesome We got password -> Grace
Lets try this
and really it worked and we got in the directory ->
192.168.56.129/newevidence
NOTE: Not close burpsuite still as we have User-Agent rule still there if we close burpsuite now then we will be in that directory but can't access other things which is in that directory
Ok now after examine this directory i got this
Evidence.txt
After open this link ->
which after decode -> panam
Now whats that "panam" and where it will be use ?
Never mind i got 5th flag now lets move further
Also nothing got from exiftool
So i used other tool which i know is steghide
We got flag.txt WOW
Now lets extract that file
Then we reat the file
The difference between above last two images is in URL-encode ===> in first image there you will see " = " equal character and in second image you will see there is not equal sign
Ok now lets start attack but we got Result Nothing
Just 401 status and i was looking 301 Status
Ok mighe be i used less wordlists
Never mind
Now i see other solution for this purpose and found these
First I learned to use PATATOR which is command line tool to bruteforce such purposes.Google about this to know more
for item in $(find /usr/share/SecLists/ -name "*\.txt"); do sudo patator http_fuzz url=http://192.168.56.129/newevidence auth_type=basic accept_cookie=1 follow=1 -x ignore:code=401 header='User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)' user_pass="FILE0:FILE1" 0=/home/user.txt 1=$item; done
user.txt -> carl.hanratty
Now i got the result ->
INFO - 200 1465:676 0.081 | carl.hanratty:Grace | 3158 | HTTP/1.1 200 OK
Awesome We got password -> Grace
Lets try this
and really it worked and we got in the directory ->
192.168.56.129/newevidence
NOTE: Not close burpsuite still as we have User-Agent rule still there if we close burpsuite now then we will be in that directory but can't access other things which is in that directory
Ok now after examine this directory i got this
Evidence.txt
After open this link ->
flag{117c240d49f54096413dd64280399ea9}
which after decode -> panam
Now whats that "panam" and where it will be use ?
Never mind i got 5th flag now lets move further
Flag #6 Where in the World is Frank?
In same directory i also got other files too -> “image.jpg” and “Invoice.pdf”
I downloaded both files and now its time for Stegnography and Forensic Tool
Like :-> exiftool,pdf-parser,steghide,binwalk,volatility
i examined first invoice pdf file but nothing there
pdf-parser Invoice.pdf
But nothing important was there
Then that image file was interested
Then using exiftool image file
exiftool image.jpg
Also nothing got from exiftool
So i used other tool which i know is steghide
RESULT ->
steghide info image.jpg
"image.jpg":What passphrase would be ? Then i recall flag hint "panam" and i used it and really it worked
format: jpeg
capacity: 230.1 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
RESULT ->
steghide info image.jpg
"image.jpg":
format: jpeg
capacity: 230.1 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "flag.txt":
size: 71.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
We got flag.txt WOW
Now lets extract that file
steghide extract -sf image.jpg
Enter passphrase:
wrote extracted data to "flag.txt".
Then we reat the file
cat flag.txtAnd we got the FLAG in that txt file ->
flag{d1e5146b171928731385eb7ea38c37b8}
=ILoveFrance
clue=iheartbrenda
got it now our 6th Flag
Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”
Ok so now from 6th flag we got decoded txt "ILoveFrance" and clue " iheartbrenda"
Where will be it use ?
Well leave it now and focus on 7th Flag Instructions
Hey "I’m The Fastest Man Alive!" i heard it lots of time while watching Flash TV SERIES
so its Barry Allen
so where it use ? and whats connection with iheartbrenda got it i know about brenda too
so lets use it in ssh as try
PRIVILEGE ESCALATION
ssh barryallen@192.168.56.129 -p22222
I got this ->
###############################################################
# WARNING #
# FBI - Authorized access only! #
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
# All actions Will be monitored and recorded #
# Flag{53c82eba31f6d416f331de9162ebe997} #
###############################################################
barryallen@192.168.56.129's password:
Permission denied, please try again.
barryallen@192.168.56.129's password: iheartbrenda
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
14 packages can be updated.
7 updates are security updates.
barryallen@skydogconctf2016:~$
Now Its more Enumeration time to dig more info about system and flag ofcourse
FIRST ->
barryallen@skydogconctf2016:~$ ls
flag.txt security-system.data
barryallen@skydogconctf2016:~$ cat flag.txt
flag{bd2f6a1d5242c962a05619c56fa47ba6}
flag{bd2f6a1d5242c962a05619c56fa47ba6}
after decode this -> theflash
So we got our 7th FLAG
You notice about security-system.data file ?
Lets examine this
This is zip file and using
mv security-system.data security-system.data.zip
Then
unzip security-system.data
Then
file security-system.data
I see data file again
Hmm ok Leave it now and focus on 8th FLAG
Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”
Find the code to unlock the Door hmm interesting . May be its mean code is somewhere ? or may be in that file which unzipped before
Lets examine more
Its time to use stegnography tool exiftool and binwalk but with both tool not got result
Now this time i stuck again and checked Solution
I got to know about FORENSIC Tool ---> VOLATILITY
Before using this tool i used " man volatility " command to know about this
man volatility
volatility - advanced memory forensics framework
volatility [option]
volatility -f [image] --profile=[profile] [plugin]
The Volatility Framework is a completely open collection of tools for the extraction of digi‐tal artifacts from volatile memory (RAM) samples. It is useful in forensics analysis.
The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system.
Ok now using information from man command lets use this tool
But before using this tool i first download that file to my machine. How ? Lets see this command
TO DOWNLOAD FILE FROM remote machine to our machine ->
scp -P 22222 barryallen@192.168.56.129:~/security-system.data ./
Ok now use volatility command
volatility -f security-system.data pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x867c6830 System 4 0 57 171 ------ 0
0x86262900 smss.exe 332 4 3 19 ------ 0 2016-10-10 21:59:14 UTC+0000
0x8623b978 csrss.exe 560 332 10 423 0 0 2016-10-10 21:59:14 UTC+0000
0x865ed020 winlogon.exe 588 332 24 512 0 0 2016-10-10 21:59:14 UTC+0000
0x8662d808 services.exe 664 588 15 263 0 0 2016-10-10 21:59:14 UTC+0000
0x866a5670 lsass.exe 676 588 25 356 0 0 2016-10-10 21:59:14 UTC+0000
0x86358a70 vmacthlp.exe 848 664 1 25 0 0 2016-10-10 21:59:14 UTC+0000
0x86651da0 svchost.exe 860 664 21 202 0 0 2016-10-10 21:59:14 UTC+0000
0x865c2790 svchost.exe 944 664 11 258 0 0 2016-10-10 21:59:14 UTC+0000
0x86554020 svchost.exe 1040 664 82 1287 0 0 2016-10-10 21:59:14 UTC+0000
0x866196b8 svchost.exe 1092 664 5 59 0 0 2016-10-10 21:59:14 UTC+0000
0x8643ca18 svchost.exe 1144 664 17 213 0 0 2016-10-10 21:59:15 UTC+0000
0x866fca88 explorer.exe 1540 1520 14 417 0 0 2016-10-10 21:59:16 UTC+0000
0x8656b4d0 spoolsv.exe 1636 664 15 125 0 0 2016-10-10 21:59:16 UTC+0000
0x86338640 VGAuthService.e 1900 664 2 60 0 0 2016-10-10 21:59:25 UTC+0000
0x8667bda0 vmtoolsd.exe 2012 664 9 271 0 0 2016-10-10 21:59:28 UTC+0000
0x864f6440 wmiprvse.exe 488 860 14 251 0 0 2016-10-10 21:59:28 UTC+0000
0x864fbad0 wscntfy.exe 536 1040 1 31 0 0 2016-10-10 21:59:28 UTC+0000
0x85e5dd48 alg.exe 624 664 8 110 0 0 2016-10-10 21:59:28 UTC+0000
0x866f98b0 vmtoolsd.exe 1352 1540 7 242 0 0 2016-10-10 21:59:29 UTC+0000
0x86674410 ctfmon.exe 1356 1540 1 79 0 0 2016-10-10 21:59:29 UTC+0000
0x865bea48 CCleaner.exe 1388 1540 5 108 0 0 2016-10-10 21:59:29 UTC+0000
0x865c3d78 cmd.exe 1336 1540 1 30 0 0 2016-10-10 22:00:05 UTC+0000
0x8634fbb8 wuauclt.exe 1884 1040 9 198 0 0 2016-10-10 22:00:13 UTC+0000
0x86260a78 wuauclt.exe 1024 1040 6 172 0 0 2016-10-10 22:00:29 UTC+0000
0x8667b488 notepad.exe 268 1540 1 55 0 0 2016-10-10 22:00:41 UTC+0000
0x8640cc10 cmd.exe 1276 2012 0 -------- 0 0 2016-10-10 22:00:49 UTC+0000 2016-10-10 22:00:50 UTC+0000
Lets see in more about notepad.exe
volatility -f security-system.data pslist | grep notepad
Volatility Foundation Volatility Framework 2.60x8667b488 notepad.exe 268 1540 1 55 0 0 2016-10-10 22:00:41 UTC+0000Lets get more detail about notepad.exe
volatility -f security-system.data cmdline --pid 268
Volatility Foundation Volatility Framework 2.6************************************************************************notepad.exe pid: 268Command line : "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Documents and Settings\test\Desktop\code.txt
Now lets see data of notepad.exe
volatility -f security-system.data notepad
Volatility Foundation Volatility Framework 2.6Process: 268Text:?
Text:d
Text:
Text:?
Text:66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d
Wow got something now
66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d
this become -->
flag{841dd3db29b0fbbd89c7b5be768cdc81}After decode -> Twolittlemice
Finally We got our 8th Flag
So i learned a lot by solving this machine and by reading other's solution
Hope readers also learned from this walkthrough
Thanks to @jamesbower to make such awesome machine and vulnhub to hosting such machines for us and those who make solution for such machines so that we all learned
Thanks again 💗
Amazing write up my brother! Keep up the good work. Hope to see many more post from you.
ReplyDeleteVery detailed write up, Keep writing :)
ReplyDeleteI would like to know two things:
ReplyDeleteCould you explain more about Regex instructions on Flag 4, what did you do?
And, The last flag, what is the format from the number before the flag?
Thank you
Afonso
I am just starting to read about CTF
Hi,thanks to ask such question. Here is my reply
DeleteFirst about Regex ->
^ <-- This is starting
$ <-- This is ending
Mean to catch exact string we use this -> ^string$
Its mean start from "s" word and end in "g" word
Ok now ^User-Agent$ -> Start from U and end in t
. <--- This will match a single character, without caring what that character is but will not match /n line breaks
* <--- This will match zero more characters
I think you should learn regex first ---> http://www.rexegg.com/
Now about last flag before decoding
Before decoding last flag you will see is HEX. So i decoded using hex decode.So that format is HEX ENCODE
Hope you get your answer
Thanks